APIsecurity.io Security Audit: online tool for OpenAPI / Swagger file static security analysis.
Bandit: Bandit is a tool designed to find common security issues in Python code.
CodeSonar: C, C++, Java
Dawnscanner: Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby.
Deep Dive: Byte code analysis tool for discovering vulnerabilities in Java deployments (EAR, WAR, JAR).
Enlightn: Enlightn is a vulnerability scanner specifically designed for Laravel PHP applications that combines SAST, DAST, IAST and configuration analysis techniques to detect vulnerabilities.
Find Security Bugs: Java, Scala, Groovy
FindBugs: Find bugs (including a few security flaws) in Java programs [Legacy - NOT Maintained - Use SpotBugs (see other entry) instead].
FindSecBugs: A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too.
Flawfinder: Scans C and C++.
Graudit: Scans multiple languages for various security flaws. Basically security enhanced code Grep.
./graudit -A /src/php/app
HCL AppScan CodeSweep: This is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more.
OWASP Code Crawler: .NET, JAVA
OWASP LAPSE Project: JAVA
OWASP Orizon Project: JAVA
PMD: PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues).
PVS-Studio: C, C++, C#.
ParaSoft: C, C++, Java, .NET.
Polyspace Static Analysis: C, C++, Ada.
Progpilot: Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
Security Code Scan: Static code analyzer for .NET. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
ShiftLeft Scan: A free open-source DevSecOps platform for detecting security issues in source ode and dependencies. It supports a broad range of languages and CI/CD pipelines by bundling various open source scanners into the pipeline.
VisualCodeGrepper: C/C++, C#, VB, PHP, Java, PL/SQL
phpcs-security-audit: A set of PHP_CodeSniffer rules to finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
Fortify-SCA: Build secure software fast. Find security issues early and fix at the speed of DevOps.
phpcodeanalysis: another PHP analyzer.
phpstan: PHP Static Analysis Tool - discover bugs in your code without running it!
./phpstan.phar analyze --paths-file= better-search/./scan -i better-search/./graudit -A ../better-search/./phpcs --extensions=php ../../better-search/./semgrep-core -lang php -e '$X == $X' ../better-search/java -jar wap.jar -p ../better-search -all