A penetration tester reviews a scan report and identifies a deserialization vulnerability.

SAST is the most likely scan type because it analyzes source code, syntax, and coding patterns without executing the application. The question states that the finding is based on how a function from a Python library has been used in code, which is exactly the type of issue SAST tools are designed to detect. A deserialization weakness often appears when unsafe functions or insecure object handling are identified statically in the codebase. The statement that the scan does not consider actual input data further supports SAST, since static analysis usually flags risky usage patterns without observing live runtime behavior or real request flows. DAST focuses on behavior during execution from the outside, IAST observes the application during runtime, and SCA mainly identifies vulnerable third-party components rather than unsafe implementation logic in custom code.

==============