Analysis tools logo

Best 21 Security static analysis tools

14

brakeman

  • Type: cli

A static analysis security vulnerability scanner for Ruby on Rails applications.

11

Coverity

  • Type: cli

Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET.

6

InsiderSec

  • Type: cli

A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js).

5

Fortify

  • Type: ide-plugin

A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML.

3

SensioLabs Insight

  • Type: service

Detect security risks, find bugs and provide actionable metrics for PHP projects.

1

Oversecured

  • Type: cli

A mobile app vulnerability scanner, designed for security researchers and bug bounty hackers. It also allows integrations into the DevOps process for businesses.

1

Snyk

  • Type: service

Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

0

Application Inspector

  • Type: service

Commercial Static Code Analysis which generates exploits to verify vulnerabilities.

0

Attackflow Extension

  • Type: ide-plugin

Attackflow plugin for Visual Studio, which enables developers to find critical security bugs at real time in the source code without any prior knowledge.

0

CodePatrol

  • Type: service

Automated SAST code reviews driven by security, supports 15+ languages and includes security training.

0

Gitleaks

  • Type: cli

A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.

0

iblessing

  • Type: cli

iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining.

0

LGTM.com

  • Type: service

Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.

0

Qualys Container Security

  • Type: service

Container native application protection to provide visibility and control of containerized applications.

0

Reshift

  • Type: service

A source code analysis tool for detecting and managing Java security vulnerabilities.

0

SmartDec Scanner

  • Type: cli

SAST tool which is capable of identifying vulnerabilities and undocumented features. The analyzer scans the source code and executables without debug info (i.e. binaries). Supports: Java/Scala/Kotlin, PHP, C#, JavaScript, TypeScript, VBScript, HTML5, Python, Perl, C/C++, Objective-C/Swift, PL/SQL, T-SQL, ABAP, 1C, Apex, Go, Ruby, Groovy, Delphi, VBA, Visual Basic 6, Solidity, Vyper, COBOL.

0

SonarCloud

  • Type: service

Multi-language cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source.

0

Veracode

  • Type: cli

Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more.

Deprecated/unmaintained tools

0

QuantifiedCode

  • Type: service

Automated code review & repair. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses.

❤️ Sponsor this project

We are currently looking for partners who want to sponsor hosting and development of the project.

Check out our Github Sponsors page here

Missing an entry? Please let us know.