Static Code Analysis

checkmarx-CxSAST: Android, Apex, ASP.NET, C#, C++, Go, Groovy, HTML5, Java, JavaScript, JSP, .NET, Objective-C, Perl, PHP, PL/SQL, Python, Ruby, Scala, Swift, TypeScript, VB.NET, Visual Basic 6, Windows Phone.

.NET Security Guard: Detects various security vulnerability patterns: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE), etc. Security Audit: online tool for OpenAPI / Swagger file static security analysis.

Agnitio: ASP, ASP.NET, C#, Java, Javascript, Perl, PHP, Python, Ruby, VB.NET, XML.

Bandit: Bandit is a tool designed to find common security issues in Python code.

CodeSec: C, C++, C#, Java, JavaScript, PHP, Kotlin, Lua, Scala, TypeScript, Android.

CodeSonar: C, C++, Java

Coverity: Android, C#, C, C++, Java, JavaScript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.NET.

Dawnscanner: Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby.

Deep Dive: Byte code analysis tool for discovering vulnerabilities in Java deployments (EAR, WAR, JAR).

DevBug: PHP

Enlightn: Enlightn is a vulnerability scanner specifically designed for Laravel PHP applications that combines SAST, DAST, IAST and configuration analysis techniques to detect vulnerabilities.

Find Security Bugs: Java, Scala, Groovy

FindBugs: Find bugs (including a few security flaws) in Java programs [Legacy - NOT Maintained - Use SpotBugs (see other entry) instead].

FindSecBugs: A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too.

Flawfinder: Scans C and C++.

GolangCI-Lint: A Go Linters aggregator - One of the Linters is gosec (Go Security), which is off by default but can easily be enabled.

Graudit: Scans multiple languages for various security flaws. Basically security enhanced code Grep.

./graudit -A /src/php/app

HCL AppScan CodeSweep: This is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more.

HCL AppScan Source: Android, Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Visual Basic 6.

HCL AppScan on Cloud: Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, Kotlin, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Swift, Visual Basic 6.

Horusec: Python(3.x), Ruby, Javascript, GoLang, .NetCore(3.x), Java, Kotlin, Terraform.

HuskyCI: HuskyCI is an open-source tool that orchestrates security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. HuskyCI can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java(SpotBugs plus Find Sec Bugs).

Insider CLI: A open source Static Application Security Testing tool (SAST) written in GoLang for Java Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

OWASP ASST (Automated Software Security Toolkit): An Open Source, Source Code Scanning Tool, developed with JavaScript (Node.js framework), Scans for PHP & MySQL Security Vulnerabilities According to OWASP Top 10 and Some other OWASP's famous vulnerabilities, and it teaches developers of how to secure their codes after scan.

OWASP Code Crawler: .NET, JAVA


OWASP Orizon Project: JAVA

PMD: PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues).

PVS-Studio: C, C++, C#.

ParaSoft: C, C++, Java, .NET.

Polyspace Static Analysis: C, C++, Ada.

Progpilot: Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.

Security Code Scan: Static code analyzer for .NET. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.

Semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. No compilation needed to scan source code. Supports Go, Java, JavaScript, JSON,Python, TypeScript, and more.

ShiftLeft Scan: A free open-source DevSecOps platform for detecting security issues in source ode and dependencies. It supports a broad range of languages and CI/CD pipelines by bundling various open source scanners into the pipeline.

VisualCodeGrepper: C/C++, C#, VB, PHP, Java, PL/SQL

phpcs-security-audit: A set of PHP_CodeSniffer rules to finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.

OWASP WAP (Web Application Protection): PHP

Fortify-SCA: Build secure software fast. Find security issues early and fix at the speed of DevOps.

codecheker: C/C++

phpcodeanalysis: another PHP analyzer.

phpstan: PHP Static Analysis Tool - discover bugs in your code without running it!

./phpstan.phar analyze --paths-file= better-search/
./scan -i better-search/
./graudit -A ../better-search/
./phpcs --extensions=php ../../better-search/
./semgrep-core -lang php -e '$X == $X' ../better-search/
java -jar wap.jar -p ../better-search -all

Last updated