Source Code Analysis Tools

Contributor(s): Dave Wichers, itamarlavender, will-obrien, Eitan Worcel, Prabhu Subramanian, kingthorin, coadaflorin,
hblankenship, GovorovViva64, pfhorman, GouveaHeitor, Clint Gibler, DSotnikov, Ajin Abraham, Noam Rathaus, Mike
Jang

Source code analysis tools, also known as Static Application Security Testing (SAST) Tools,
can help analyze source code or compiled versions of code to help find security flaws.

SAST tools can be added into your IDE. Such tools can help you detect issues during
software development. SAST tool feedback can save time and effort, especially when
compared to finding vulnerabilities later in the development cycle.

Strengths and Weaknesses

Strengths

 Scales well – can be run on lots of software, and can be run repeatedly (as with
nightly builds or continuous integration).
 Identifies certain well-known vulnerabilities, such as:
o Buffer overflows
o SQL injection flaws
 Output helps developers, as SAST tools highlight the problematic code, by filename,
location, line number, and even the affected code snippet.

Weaknesses

 Difficult to automate searches for many types of security vulnerabilities, including:

o Authentication problems
o Access control issues
o Insecure use of cryptography
 Current SAST tools are limited. They can automatically identify only a relatively
small percentage of application security flaws.
 High numbers of false positives.
 Frequently unable to find configuration issues, since they are not represented in the
code.
 Difficult to ‘prove’ that an identified security issue is an actual vulnerability.
 Many SAST tools have difficulty analyzing code that can’t be compiled.
o Analysts frequently cannot compile code unless they have:
 Correct libraries
 Compilation instructions
 All required code

Important Selection Criteria

 Prerequisite: Support your programming language.
 Ability to detect vulnerabilities, based on:
o The OWASP Top Ten
 o Other criteria such as:
 OSSTMM
 CHECK
 Accuracy:
o False Positive/False Negative rates
o OWASP Benchmark score
 Ability to understand the libraries/frameworks you need
 Requirement for buildable source code
 Ability to run against binaries (instead of source)
 Availability as a plugin into preferred developer IDEs
 Ease of setup/use
 Ability to include in Continuous Integration/Deployment tools
 License cost (May vary by user, organization, app, or lines of code)
 Interoperability of output:
o See OASIS SARIF (Static Analysis Results Interchange Format)

Disclaimer
The tools listed in the tables below are presented in alphabetical order. OWASP does not
endorse any of the vendors or tools by listing them in the table below. We have made every
effort to provide this information as accurately as possible. If you are the vendor of a
tool below and think that this information is incomplete or incorrect, please send an e-
mail to our mailing list and we will make every effort to correct this information.

Name/Link Owner License Platforms Note

.NET Open
Security Source .NET, C\#, VB.net
Guard or Free
REST API security platform that
Comme includes Security Audit (SAST),
42Crunch
rcial dynamic conformance scan, runtime
protection, and monitoring.
Open ASP, ASP.NET, C\#, Java, Javascript,
Agnitio Source Windows Perl, PHP, Python, Ruby, VB.NET,
or Free XML
APIsecurity.i Open
online tool for OpenAPI / Swagger file
o Security Source
static security analysis
Audit or Free
combines SAST, DAST, IAST, SCA,
configuration analysis and other
technologies, incl. unique abstract
interpretation; has capability to
Positive
Application Comme generate test queries (exploits) to
Technolo
Inspector rcial verify detected vulnerabilities during
gies
SAST analysis; Supported languages
include: Java, C\#, PHP, JavaScript,
Objective C, VB.Net, PL/SQL, T-
SQL, and others.
AppSweep Guardsqu Open SaaS Mobile application security testing tool
 Source for compiled Android apps with
are
or Free support of CI/CD integration
Open
Bandit is a comprehensive source
Bandit Source
vulnerability scanner for Python
or Free
Map sensitive data flows and identify
Comme SaaS or On- security risks such as unauthorized
Bearer Bearer
rcial Premises data flow, missing encryption,
unauthorized access, and more.
Code Scanning/SAST/Static
Analysis/Linting using many
tools/Scanners with One Report.
Currently supports: PHP, Java, Scala,
Betterscan
Marcin Python, Ruby, Javascript, GO, Secret
CE Open
Kozlows Scanning, Dependency Confusion,
(Community Source
ki Trojan Source, Open Source and
Edition)
Proprietary Checks (total ca. 1000
checks). Supports also Differential
analysis. Goal is to have one report
using many tools/scanners
Static application security testing
(SAST) used to be divorced from Code
Beyond quality reviews, resulting in limited
Beyond Comme
Security impact and value. beSOURCE
Security rcial
beSOURCE addresses the code security quality of
applications and thus integrates
SecOps into DevOps.
BlueClosure BlueClos Comme
Analyzes client-side JavaScript.
BC Detect ure rcial
Brakeman is an open source
Open
vulnerability scanner specifically
Brakeman Source
designed for Ruby on Rails
or Free
applications
Nalbatec
h, Comme
bugScout
Formerly rcial
Buguroo
Performs static and architectural
analysis to identify numerous types of
security issues. Supports over 30
Comme languages. [AIP's security specific
CAST AIP
rcial coverage is
here](https://www.castsoftware.com/so
lutions/application-security/
cwe#SupportedSecurityStandards).
clj-holmes clj- Open Linux and MacOs A CLI SAST (Static application
holmes Source security testing) tool which was built
with the intent of finding vulnerable
Clojure code via rules that use a
 simple pattern language.
CloudDefense provides holistic threat
CloudDefens CloudDe Comme SaaS or On- intelligence across all attack surfaces -
e fense rcial Premises Containers, Kubernetes, Code, Open
Source Libraries, APIs and more...
Offers security patterns for languages
such as Python, Ruby, Scala, Java,
Comme JavaScript and more. Integrates with
Codacy
rcial tools such as Brakeman, Bandit,
FindBugs, and others. (free for open
source projects)
A Salesforce focused, SaaS code
quality tool leveraging SonarQube's
CodeScan Comme OWASP security hotspots to give
Cloud rcial security visibility on Apex,
Visualforce, and Lightning proprietary
languages.
tool that supports C, C++, Java and C#
Gramma Comme
CodeSonar and maps against the OWASP top 10
Tech rcial
vulnerabilities.
Codiga scans your code and find
security, safety, design, performance
Comme SaaS or On- and maintainability issues in your code
Codiga Codiga
rcial Premises at each push or pull request. It
integrates with GitHub, GitLab and
Bitbucket.
A SAST tool for infrastructure
configuration analysis. Support for
Heinle
Comme SaaS or On- common web servers, databases,
CoGuard Solutions
rcial Premises streaming services, authentication
Inc.
services, container orchestration and
Infrastructure-as-Code tools.
Contrast performs code security
without actually doing static analysis.
Contrast does Interactive Application
Contrast Comme
Security Testing (IAST), correlating
Assess rcial
runtime code & data analysis. It
provides code level results without
actually relying on static analysis.
Apex, C/C++, C#, CUDA, Java#,
Coverity JavaScript, PHP, Python, .NET Core,
Comme
Static Synopsys ASP.NET, Objective-C, Go, JSP,
rcial
Analysis Ruby, Swift, Fortran, Scala, VB.NET,
iOS, Android, TypeScript, Kotlin
CxSAST Checkma Comme Saas, or on- Run full or incremental source code
rx rcial premises. Windows security scans. Supported languages
and Linux with include Javascript, Java, Apex, PHP,
CI/CD and IDE Python, Swift, Scala, Perl, Groovy,
plugin integration Ruby, C++, C#.NET, PL/SQL,
 VB.NET, ASP.NET, HTML 5,
Windows Mobile, Go, and Kotlin.
Dawnscanner is an open source
security source code analyzer for
Open
Ruby, supporting major MVC
Dawnscanner Source
frameworks like Ruby on Rails,
or Free
Padrino, and Sinatra. It also works on
non-web applications written in Ruby.
Open Byte code analysis tool for discovering
Deep Dive Source vulnerabilities in Java deployments
or Free (EAR, WAR, JAR).
DeepSource helps companies ship
clean and secure code with powerful
DeepSou Comme SaaS or On-
DeepSource static analysis, OWASP Top 10
rce Corp. rcial Premises
compliance, and Autofix. Supports all
major programming languages.
Capable of identifying vulnerabilities
and backdoors (undocumented
DerScan Comme features) in over 30 programming
DerScanner
ner Ltd. rcial languages by analyzing source code or
executables, without requiring debug
info.
Open
DevBug Source Web Based PHP
or Free
SaaS TCL Static Source Code
Analysis Tool able to detect real and
Comme complex security vulnerabilities in
ECG VoidSec
rcial TCL/ADP source-code. Discovered
vulnerabilities will be mapped against
the OWASP top 10 vulnerabilities.
Enlightn is a vulnerability scanner
specifically designed for Laravel PHP
Enlightn Open applications that combines SAST,
Enlightn
Software Source DAST, IAST and configuration
analysis techniques to detect
vulnerabilities.
Open
Find Security
Source Java, Scala, Groovy
Bugs
or Free
Find bugs (including a few security
Open
flaws) in Java programs [Legacy -
FindBugs Source
NOT Maintained - Use SpotBugs (see
or Free
other entry) instead]
A security specific plugin for
Open SpotBugs that significantly improves
FindSecBugs Source SpotBugs's ability to find security
or Free vulnerabilities in Java programs.
Works with the old FindBugs too.
 Open
Flawfinder Source Scans C and C++.
or Free
Fluid SAST, DAST and SCA vulnerability
Fluid Open
Attack's detection tool with perfect OWASP
Attacks Source
Scanner Benchmark score.
Free trial scan available. Supported
languages include: ABAP/BSP,
ActionScript/MXML (Flex), APEX,
ASP.NET, VB.NET, C\# (.NET),
C/C++, Classic ASP (w/VBScript),
Micro Comme Windows, Linux, COBOL, ColdFusion CFML, Go,
Fortify
Focus rcial and MacOSX HTML, Java (including Android),
JavaScript/AJAX, JSP, Kotlin,
Objective-C, PHP, PL/SQL, Python,
Typescript, T-SQL, Ruby, Scala,
Swift, Visual Basic (VB.NET), Visual
Basic 6, VBScript, XML
GitGuardian
Secure your software development
—
Comme SaaS or On- with automated secrets detection &
Automated
rcial Premises remediation for private or public
Secrets
source code.
Detection
GitHub Advanced Security uses
CodeQL for Static Code Analysis, and
GitHub Open
SaaS or On- GitHub Secret Scanning for
Advanced GitHub Source
Premises identifying tokens. GitHub code
Security or Free
scanning can import SARIF from any
other SAST tool
Comme SaaS, Linux,
GitLab GitLab
rcial Windows
A Go Linters aggregator - One of the
Open Linters is [gosec (Go Security)]
GolangCI-
Source (https://github.com/securego/gosec),
Lint
or Free which is off by default but can easily
be enabled.
Google Open Uses Google Code Search to identify
CodeSearch Source vulnerabilities in open source code
Diggity or Free projects hosted by Google Code, MS
CodePlex, SourceForge, Github, and
more. The tool comes with over 130
default searches that identify SQL
injection, cross-site scripting (XSS),
insecure remote and local file includes,
hard-coded passwords, and much
more. *Essentially, Google
CodeSearchDiggity provides a source
code security analysis of nearly every
single open source code project in
 existence – simultaneously.*
Open Scans multiple languages for various
Graudit Source Linux security flaws. Basically security
or Free enhanced code Grep.
Scan the new code on a push/pull
request using a GitHub action.
Findings are highlighted in the `Files
HCL Changed` view and details about the
AppScan Open issue and mitigation steps can be found
HCL
CodeSweep - Source in the `Actions` page. Unrestricted
Software
GitHub or Free usage allowed with a free trial account.
Action The tool currently supports Python,
Ruby, JS (Vue, React, Node, Angular,
JQuery, etc), PHP, Perl, COBOL,
APEX & a few more.
This is the first Community edition
version of AppScan. It is delivered as a
VS Code [https://hclsw.co/codesweep]
and JetBrains
[https://hclsw.co/codesweep-jetbrains]
(IntelliJ IDEA, CLion, GoLand,
PhpStorm, PyCharm , Rider,
HCL
Open RubyMine, WebStorm) plugin and
AppScan HCL
Source scans files upon saving them. The
CodeSweep - Software
or Free results show the location of a finding,
IDE
type and remediation advice. The tool
currently supports Java, .Net, Go,
Python, Ruby, JS (Node, Angular,
JQuery, etc) , PHP, Perl, COBOL,
APEX & a few more. Auto-fix for
some of the issues is available with a
free trial.
Apex, ASP, C, C++, COBOL,
ColdFusion, Go, Java,
HCL Open JavaScript(Client-side JavaScript,
HCL
AppScan on Source Kotlin, NodeJS, and AngularJS), .NET
Software
Cloud or Free (C#, ASP.NET, VB.NET), .NET Core,
Perl, PHP, PL/SQL, Python, Ruby, T-
SQL, Swift, Visual Basic 6
Android, Apex, ASP, C, C++,
COBOL, ColdFusion, Go, Java,
HCL JavaScript(Client-side JavaScript,
HCL Comme
AppScan NodeJS, and AngularJS), .NET (C#,
Software rcial
Source ASP.NET, VB.NET), .NET Core, Perl,
PHP, PL/SQL, Python, Ruby, T-SQL,
Visual Basic 6
Hdiv Hdiv Comme Hdiv performs code security without
Detection Security rcial actually doing static analysis. Hdiv
does Interactive Application Security
 Testing (IAST), correlating runtime
code & data analysis. It provides code-
level results without actually relying
on static analysis.
C#, Java, Kotlin, Python, Ruby,
Open Golang, Terraform, Javascript,
Horusec Source Typescript, Kubernetes, PHP, C,
or Free HTML, JSON, Dart, Elixir, Shell,
Nginx, Swift
HuskyCI is an open-source tool that
orchestrates security tests inside CI
pipelines of multiple projects and
centralizes all results into a database
Open for further analysis and metrics.
HuskyCI Source HuskyCI can perform static security
or Free analysis in Python (Bandit and Safety),
Ruby (Brakeman), JavaScript (Npm
Audit and Yarn Audit), Golang
(Gosec), and Java(SpotBugs plus Find
Sec Bugs)
A open source Static Application
Security Testing tool (SAST) written
Open
InsiderSe in GoLang for Java Maven and
Insider CLI Source
c Android), Kotlin (Android), Swift
or Free
(iOS), .NET Full Framework, C#, and
Javascript (Node.js).
provides an application security testing
a
and analytics platform – including
division Comme
Kiuwan SAST and SCA solutions – that
of Idera, rcial
reduces risk and improves change
Inc.
management and DevOps processes
Comme Static Code Analysis for C, C++, C#,
Klocwork Perforce
rcial Java, JavaScript, Python, Kotlin
Comme
Kroogal C, C++
rcial
A free for open source static analysis
service that automatically monitors
Open
commits to publicly accessible code in
LGTM Source
Bitbucket Cloud, GitHub, or GitLab.
or Free
Supports C/C++, C\#, Go, Java,
JavaScript/TypeScript, Python.
Comme Static security analysis for 27+
Mend SAST Mend
rcial languages.
Open
Microsoft
Source .NET
FxCop
or Free
Open
Microsoft
Source C, C++
PREFast
or Free
 Mobile Security Framework (MobSF)
is an automated, all-in-one mobile
Open application (Android/iOS/Windows)
MobSF Source pen-testing, malware analysis and
or Free security assessment framework
capable of performing static and
dynamic analysis.
Open
MobSF Source Windows, Unix Android Java, Objective C, Swift
or Free
Free version available. Currently
NextGen supports Java, JavaScript, C\#,
Comme
Static ShiftLeft SaaS TypeScript, Python, and Terraform.
rcial
Analysis Create your free account at
https://shiftleft.io/register.
Open
nodejsscan Source Unix Node.js
or Free
Scans Git repos daily and provides a
web-based dashboard to track code
Nucleaus Comme and dependency vulnerabilities.
Nucleaus SaaS
Core rcial Handles team-based access patterns,
vulnerability exception lifecycle, and
is built on API first principles.
SAST technology that attacks the
Comme source code from all corners it has all
Offensive360
rcial in one. Malware, SCA, License, and
deep source code analysis.
Enterprise vulnerability scanner for
Android and iOS apps. It offers app
Oversecu Comme owners and developers the ability to
Oversecured iOS, Android
red Inc rcial secure each new version of a mobile
app by integrating Oversecured into
the development process.
An Open Source, Source Code
Scanning Tool, developed with
OWASP
JavaScript (Node.js framework), Scans
ASST Tarik
Open for PHP & MySQL Security
(Automated Seyceri Ubuntu, MacOSX
Source Vulnerabilities According to OWASP
Software & and Windows
or Free Top 10 and Some other OWASP's
Security OWASP
famous vulnerabilities, and it teaches
Toolkit)
developers of how to secure their
codes after scan.
OWASP
Open
Code OWASP .NET, Java
Source
Crawler
OWASP
Open
LAPSE OWASP Java
Source
Project
OWASP
Open
Orizon OWASP Java
Source
Project
OWASP
WAP (Web Open
OWASP PHP
Application Source
Protection)
Open
ParaSoft Source C, C++, Java, .NET
or Free
Comme
Parasoft Test Parasoft Test tools for C/C++, .NET, Java
rcial
A set of PHP_CodeSniffer rules to
finds flaws or weaknesses related to
phpcs- Open
security in PHP and its popular CMS
security- Source
or frameworks. It currently has core
audit or Free
PHP rules as well as Drupal 7 specific
rules.
Comme Scans Oracle Forms and Reports
PITSS.CON PITTS
rcial Applications
PMD scans Java source code and looks
Open
for potential code problems (this is a
PMD Source
code quality tool that does not focus
or Free
on security issues).
Polyspace
Static Comme
C, C++, Ada
Analysis rcial
Tools
Open PREfast is a static analysis tool that
Microsof
PreFast Source identifies defects in C/C++ programs.
t
or Free Last update 2006.
Progpilot is a static analyzer tool for
Open
PHP that detects security
Progpilot Source
vulnerabilities such as XSS and SQL
or Free
Injection.
Vimeo, Open Static code analysis for PHP projects,
Psalm
Inc. Source written in PHP.
Combines SAST, DAST, IAST, SCA,
configuration analysis and other
technologies for high accuracy. Can
PT Positive
Comme generate special test queries (exploits)
Application Technolo
rcial to verify detected vulnerabilities
Inspector gies
during SAST analysis. Supports Java,
C\#, PHP, JavaScript, Objective C,
VB.Net, PL/SQL, T-SQL, and others.
Puma Scan Puma Comme A .NET C\# static source code
Security rcial analyzer that runs as a Visual Studio
IDE extension, Azure DevOps
extension, and Command Line (CLI)
 executable.
Open
Puma Scan
Source .NET, C\#
Professional
or Free
Open
PVS-Studio Source C, C++, C\#
or Free
Static code security analysis for C, C+
+, C#, and Java. A commercial B2B
PVS-Studio PVS- Comme solution, but provides several free
Analyzer Studio rcial [licensing
options](https://www.viva64.com/en/b
/0614/).
A performant type-checker for Python
Open 3, that also has [limited security/data
Pyre Source flow
or Free analysis](https://pyre-check.org/docs/p
ysa-basics.html) capabilities.
A CI/CD static code security analysis
Comme tool for Java that uses machine
reshift
rcial learning to give a prediction on false
positives.
Scans code for insecure coding and
configurations automatically as an IDE
Comme
SecureAssist Synopsys plugin for Eclipse, IntelliJ, and Visual
rcial
Studio, etc. Supports Java, .NET, PHP,
and JavaScript.
Static code analyzer for .NET. It will
Open
Security find SQL injections, LDAP injections,
Source
Code Scan XXE, cryptography weakness, XSS
or Free
and more.
Seeker performs code security without
actually doing static analysis. Seeker
does Interactive Application Security
Comme Testing (IAST), correlating runtime
Seeker Synopsys
rcial code & data analysis with simulated
attacks. It provides code level results
without actually relying on static
analysis.
Lightweight static analysis for many
languages. Find bug variants with
Open
patterns that look like source code. No
Semgrep Source
compilation needed to scan source
or Free
code. Supports Go, Java, JavaScript,
JSON,Python, TypeScript, and more.
Sentinel Comme Static security analysis for 10+
Whitehat
Source rcial languages.
ShiftLeft Open A free open-source DevSecOps
Scan Source platform for detecting security issues
 in source ode and dependencies. It
supports a broad range of languages
or Free and CI/CD pipelines by bundling
various open source scanners into the
pipeline.
Open
Java byte code static code analyzer for
Sink Tank Source
performing source/sink (taint) analysis.
or Free
Find, learn and fix vulnerabilities in
Comme open source dependencies, in your
Snyk
Snyk rcial or SaaS, IDE Plugin application code, in container images
Limited
Free or insecure configurations in
Terraform and Kubernetes.
ABAP, C, C++, Objective-C, COBOL,
Open C\#, CSS, Flex, Go, HTML, Java,
SonarCloud Source Javascript, Kotlin, PHP, PL/I,
or Free PL/SQL, Python, RPG, Ruby, Swift,
T-SQL, TypeScript, VB6, VB, XML
Scans source code for 15 languages for
Bugs, Vulnerabilities, and Code
Open Smells. SonarQube IDE plugins for
SonarQube Source Eclipse, Visual Studio, and IntelliJ
or Free provided by
[SonarLint](https://www.sonarlint.org/
).
Multi-platform &
Discover, classify, and protect your
Multi-architecture.
Open codebases, logs, and other assets.
Spectral Linux/Windows/Ma
Spectral Source Monitor and detect API keys, tokens,
Ops cOSx/*nix.
or Free credentials, high-risk security
Programming-
misconfiguration and more.
language agnostic
Open
Splint Source C
or Free
Java. This is the active fork
Open replacement for FindBugs, which is
SpotBugs Source not maintained anymore. Very little
or Free security. FindSecBugs plugin provides
security rules.
Windows and Linux; Static Reviewer executes code checks
on-Premises and in according to the most relevant Secure
Static Security Comme
Cloud; Desktop, CLI Coding Standards for 40+
Reviewer Reviewer rcial
and CI/CD & IDE programming languages, using 1000+
plugin integration built-in validation rules.
Veracode Open Android, ASP.NET, C\#, C, C++,
Source Classic ASP, COBOL,
or Free ColdFusion/Java, Go, Groovy, iOS,
Java, JavaScript, Perl,
PhoneGap/Cordova, PHP, Python,
 React Native, RPG, Ruby on Rails,
Scala, Titanium, TypeScript, VB.NET,
Visual Basic 6, Xamarin
Veracode
Comme
Static Veracode
rcial
Analysis
Open
VisualCodeG
Source Windows C/C++, C\#, VB, PHP, Java, PL/SQL
repper
or Free
Scans C/C++, C\#, VB, PHP, Java,
PL/SQL, and COBOL for security
issues and for comments which may
VisualCodeG Open
indicate defective code. The config
repper Source
files can be used to carry out
(VCG) or Free
additional checks for banned functions
or functions which commonly cause
security issues.
VS Code Plugin to Microsoft Visual Studio
OpenAPI Open Code that enables rich editing
(Swagger) Source capabilities for REST API contracts
Editor or Free and also includes linting and Security
extension Audit (static security analysis).
A SAST tool for Java, Scala, and
JavaScript/TypeScript, mainly via taint
Comme CLI and plugin
Xanitizer Xanitizer analysis. Per this pricing page, it is
rcial integration
free for Open Source projects if you
contact the vendor.