Which approach involves reviewing code artifacts to identify security flaws without running the application?

The key idea is identifying security flaws by examining the code and related artifacts without executing the program. Static Application Security Testing does exactly that: it analyzes source code, binaries, and other artifacts to spot common vulnerability patterns, insecure coding practices, and misconfigurations before the application runs. This approach helps catch issues early in development and can be integrated into CI/CD pipelines to scan large codebases efficiently. In contrast, dynamic analysis tests the running application to observe its behavior, so it requires execution. Code review involves humans inspecting the code for defects and security concerns, which is related but relies on manual examination rather than automated analysis of artifacts. So, reviewing code artifacts without running the app is best described as Static Application Security Testing.