Limitation of SAST
Requires access to source code
In case source code is not available then static application security testing cannot be carried out.
Will not uncover issues related to operational deployment
Often there are issues associated with operational state of an application. Static tools cannot uncover such issues.
Large number of false positives
Many a times issues are reported or problems with the logical flow are indicated, but the developer may have taken cautious decision to structure the program in that way.
Not effective to detect configuration related issues
All those static tools do a good job of uncovering many vulnerabilities, but still a large number of vulnerabilities remain hidden.