If you're hunting for low-hanging bugs in source code, grep and regex can help you to identify hotspots. For example, you might find basic rXSS in PHP with something like this:
grep -r "echo.*\$_\(GET\|REQUEST\|POST\)" .
Or to uncover potential SQL injection you could try:
grep -r "SELECT.*\\.\\ \\$" .
It will still take some manual work, but this can be a good way to focus your attention on the most obvious weak points.