Analysis tools logo

27 Security/SAST Static Analysis Tools

Type:
Any
14
14

Coverity

  • Type: cli

Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.

7

InsiderSec

  • Type: cli
158

A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js).

3

SensioLabs Insight

  • Type: service

Detect security risks, find bugs and provide actionable metrics for PHP projects.

1

Oversecured

  • Type: cli

A mobile app vulnerability scanner, designed for security researchers and bug bounty hackers. It also allows integrations into the DevOps process for businesses.

0

Application Inspector

  • Type: service

Commercial Static Code Analysis which generates exploits to verify vulnerabilities.

0

Attackflow Extension

  • Type: ide-plugin

Attackflow plugin for Visual Studio, which enables developers to find critical security bugs at real time in the source code without any prior knowledge.

0

Code Intelligence

  • Type: service

CI/CD-agnostic DevSecOps platform which combines industry-leading fuzzing engines for finding bugs and visualizing code coverage

0

CodePatrol

  • Type: service

Automated SAST code reviews driven by security, supports 15+ languages and includes security training.

0

codeql

  • Type: service
  • Type: ide-plugin

Deep code analysis - semantic queries and dataflow for several languages with VSCode plugin support.

0

Fortify

  • Type: ide-plugin

A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.

0

Gitleaks

  • Type: cli
6790

A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.

0

iblessing

  • Type: cli
221

iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining.

0

LGTM.com

  • Type: service

Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.

0

njsscan

  • Type: cli
97

A static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.

0

ocular

  • Type: service

Enables code auditors and security teams to interactively investigate their unique code bases to find business logic flaws and technical vulnerabilities that traditional SASTs cannot. This is done by enabling the analyst to write their own custom queries. Can find hard-coded secrets, authentication issues, and malicious code like rootkits and backdoors.

0

Qualys Container Security

  • Type: service

Container native application protection to provide visibility and control of containerized applications.

0

Reshift

  • Type: service

A source code analysis tool for detecting and managing Java security vulnerabilities.

0

ShiftLeft

  • Type: service

Identify vulnerabilities that are unique to your code base before they reach production. Leverages the Code Property Graph (CPG) to run its analyses concurrently in a single graph of graphs. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs

0

Snyk

  • Type: service

Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

0

SmartDec Scanner

  • Type: cli

SAST tool which is capable of identifying vulnerabilities and undocumented features. The analyzer scans the source code and executables without debug info (i.e. binaries). Supports: Java/Scala/Kotlin, PHP, C#, JavaScript, TypeScript, VBScript, HTML5, Python, Perl, C/C++, Objective-C/Swift, PL/SQL, T-SQL, ABAP, 1C, Apex, Go, Ruby, Groovy, Delphi, VBA, Visual Basic 6, Solidity, Vyper, COBOL.

0

SonarCloud

  • Type: service

Multi-language cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.

0

tfsec

  • Type: cli
1975

Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.

0

Veracode

  • Type: cli

Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.

Deprecated/unmaintained tools

0

QuantifiedCode

  • Type: service
105

Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses.

❤️ Sponsor this project

We are currently looking for partners who want to sponsor hosting and development of the project.

Check out our Github Sponsors page here

Missing an entry? Please let us know.