Static Application Security Testing (SAST) tools exhibit low adoption and unverified effectiveness and usability in open-source embedded software (e.g., EMBOSS). Method: This work presents the first systematic evaluation of CodeQL’s practical utility in the embedded ecosystem, conducting large-scale CodeQL scanning across 258 mainstream embedded projects. The study integrates vulnerability pattern modeling, CI/CD pipeline integration, and developer surveys to assess barriers and enablers of SAST adoption. Contribution/Results: It reveals severe underutilization of SAST in embedded development and successfully deploys automated detection pipelines in 71% of target repositories. The analysis identifies 709 real defects (34% false-positive rate), of which 535 pose potential security risks; 376 were confirmed and fixed by developers, yielding two assigned CVEs. This work establishes a methodological framework and empirical benchmark for SAST adoption in embedded systems.

In this experience paper, we report on a large-scale empirical study of Static Application Security Testing (SAST) in Open-Source Embedded Software (EMBOSS) repositories. We collected a corpus of 258 of the most popular EMBOSS projects, and then measured their use of SAST tools via program analysis and a survey (N=25) of their developers. Advanced SAST tools are rarely used -- only 3% of projects go beyond trivial compiler analyses. Developers cited the perception of ineffectiveness and false positives as reasons for limited adoption. Motivated by this deficit, we applied the state-of-the-art (SOTA) CodeQL SAST tool and measured its ease of use and actual effectiveness. Across the 258 projects, CodeQL reported 709 true defects with a false positive rate of 34%. There were 535 (75%) likely security vulnerabilities, including in major projects maintained by Microsoft, Amazon, and the Apache Foundation. EMBOSS engineers have confirmed 376 (53%) of these defects, mainly by accepting our pull requests. Two CVEs were issued. Based on these results, we proposed pull requests to include our workflows as part of EMBOSS Continuous Integration (CI) pipelines, 37 (71% of active repositories) of these are already merged. In summary, we urge EMBOSS engineers to adopt the current generation of SAST tools, which offer low false positive rates and are effective at finding security-relevant defects.