Comment on page
Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.
python3 -m pip install semgrep
Add to path in zsh:
path+=('/home/kali/.local/bin') export PATH
semgrep --config auto badcode.php