├── .gitignore ├── sast-tools.md ├── contributing.md ├── code-of-conduct.md ├── LICENSE ├── static-application-security-testing.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /sast-tools.md: -------------------------------------------------------------------------------- 1 | ## Top Modern SAST Tools 2 | 3 | SAST Tools catch bugs and vulnerabilities in your application, with thousands of automated static code analysis rules. 4 | 5 | 6 | 7 | - [Amazon Codeguru](https://aws.amazon.com/codeguru/) 8 | - [Sonarqube](https://www.sonarsource.com/solutions/security/) 9 | - [CheckmarX](https://checkmarx.com/cxsast-source-code-scanning/) 10 | - [Snyk](https://snyk.io/) 11 | - [Snyk Code](https://snyk.io/product/snyk-code/) 12 | -------------------------------------------------------------------------------- /contributing.md: -------------------------------------------------------------------------------- 1 | # Contribution 2 | 3 | This project welcomes contributions from the community. All contributions to this repository must be 4 | signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on 5 | as an open-source patch. 6 | 7 | ## Contribution Flow 8 | 9 | This is a rough outline of what a contributor's workflow looks like: 10 | 11 | - Create a topic branch from where you want to base your work 12 | - Make commits of logical units 13 | - Make sure your commit messages are in the proper format (see below) 14 | - Push your changes to a topic branch in your fork of the repository 15 | - Submit a pull request 16 | 17 | Example: 18 | 19 | ``` shell 20 | git remote add upstream https://github.com/paulveillard/ 21 | git checkout -b my-new-feature master 22 | git commit -a 23 | git push origin my-new-feature 24 | ``` 25 | 26 | ### Staying In Sync With Upstream 27 | 28 | When your branch gets out of sync with the paulveillard/master branch, use the following to update: 29 | 30 | ``` shell 31 | git checkout my-new-feature 32 | git fetch -a 33 | git pull --rebase upstream master 34 | git push --force-with-lease origin my-new-feature 35 | ``` 36 | 37 | ### Updating pull requests 38 | 39 | If your PR fails to pass CI or needs changes based on code review, you'll most likely want to squash these changes into 40 | existing commits. 41 | 42 | If your pull request contains a single commit or your changes are related to the most recent commit, you can simply 43 | amend the commit. 44 | 45 | ``` shell 46 | git add . 47 | git commit --amend 48 | git push --force-with-lease origin my-new-feature 49 | ``` 50 | 51 | If you need to squash changes into an earlier commit, you can use: 52 | 53 | ``` shell 54 | git add . 55 | git commit --fixup 56 | git rebase -i --autosquash master 57 | git push --force-with-lease origin my-new-feature 58 | ``` 59 | 60 | Be sure to add a comment to the PR indicating your new changes are ready to review, as GitHub does not generate a 61 | notification when you git push. 62 | 63 | ### Code Style 64 | 65 | ### Formatting Commit Messages 66 | 67 | We follow the conventions on [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/). 68 | 69 | Be sure to include any related GitHub issue references in the commit message. See 70 | [GFM syntax](https://guides.github.com/features/mastering-markdown/#GitHub-flavored-markdown) for referencing issues 71 | and commits. 72 | 73 | ## Reporting Bugs and Creating Issues 74 | 75 | When opening a new issue, try to roughly follow the commit message format conventions above. 76 | -------------------------------------------------------------------------------- /code-of-conduct.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in 6 | ansible-security-hardening project and our community a harassment-free 7 | experience for everyone, regardless of age, body size, visible or invisible 8 | disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at info@paulveillard.com. 63 | All complaints will be reviewed and investigated promptly and fairly. 64 | 65 | All community leaders are obligated to respect the privacy and security of the 66 | reporter of any incident. 67 | 68 | ## Enforcement Guidelines 69 | 70 | Community leaders will follow these Community Impact Guidelines in determining 71 | the consequences for any action they deem in violation of this Code of Conduct: 72 | 73 | ### 1. Correction 74 | 75 | **Community Impact**: Use of inappropriate language or other behavior deemed 76 | unprofessional or unwelcome in the community. 77 | 78 | **Consequence**: A private, written warning from community leaders, providing 79 | clarity around the nature of the violation and an explanation of why the 80 | behavior was inappropriate. A public apology may be requested. 81 | 82 | ### 2. Warning 83 | 84 | **Community Impact**: A violation through a single incident or series 85 | of actions. 86 | 87 | **Consequence**: A warning with consequences for continued behavior. No 88 | interaction with the people involved, including unsolicited interaction with 89 | those enforcing the Code of Conduct, for a specified period of time. This 90 | includes avoiding interactions in community spaces as well as external channels 91 | like social media. Violating these terms may lead to a temporary or 92 | permanent ban. 93 | 94 | ### 3. Temporary Ban 95 | 96 | **Community Impact**: A serious violation of community standards, including 97 | sustained inappropriate behavior. 98 | 99 | **Consequence**: A temporary ban from any sort of interaction or public 100 | communication with the community for a specified period of time. No public or 101 | private interaction with the people involved, including unsolicited interaction 102 | with those enforcing the Code of Conduct, is allowed during this period. 103 | Violating these terms may lead to a permanent ban. 104 | 105 | ### 4. Permanent Ban 106 | 107 | **Community Impact**: Demonstrating a pattern of violation of community 108 | standards, including sustained inappropriate behavior, harassment of an 109 | individual, or aggression toward or disparagement of classes of individuals. 110 | 111 | **Consequence**: A permanent ban from any sort of public interaction within 112 | the community. 113 | 114 | ## Attribution 115 | 116 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 117 | version 2.0, available at 118 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 119 | 120 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 121 | enforcement ladder](https://github.com/mozilla/diversity). 122 | 123 | [homepage]: https://www.contributor-covenant.org 124 | 125 | For answers to common questions about this code of conduct, see the FAQ at 126 | https://www.contributor-covenant.org/faq. Translations are available at 127 | https://www.contributor-covenant.org/translations. 128 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /static-application-security-testing.md: -------------------------------------------------------------------------------- 1 | # Static Application Security Testing (DAST) Tools 2 | (Primarily for web apps) 3 | 4 | An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Static Application Security Testing (SAST) Tools. 5 | > Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources. 6 | 7 | ## `About Dynamic Application Security Testing (DAST)` 8 | 9 | --- 10 | 11 | layout: col-sidebar 12 | title: Source Code Analysis Tools 13 | author: 14 | contributors: 15 | - Dave Wichers, itamarlavender, will-obrien, Eitan Worcel, Prabhu Subramanian, kingthorin, coadaflorin, hblankenship, GovorovViva64, pfhorman, GouveaHeitor, Clint Gibler, DSotnikov, Ajin Abraham, Noam Rathaus, Mike Jang 16 | tags: source code analysis, static code analysis, tools 17 | permalink: /Source_Code_Analysis_Tools 18 | 19 | --- 20 | 21 | 22 | 23 | [Source code analysis](https://owasp.org/www-community/controls/Static_Code_Analysis) tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. 24 | 25 | SAST tools can be added into your IDE. Such tools can help you detect issues during software development. 26 | SAST tool feedback can save time and effort, especially when compared to finding vulnerabilities later in the development cycle. 27 | 28 | ## Strengths and Weaknesses 29 | 30 | ### Strengths 31 | 32 | - Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration). 33 | - Identifies certain well-known vulnerabilities, such as: 34 | - Buffer overflows 35 | - SQL injection flaws 36 | - Output helps developers, as SAST tools highlight the problematic code, by filename, 37 | location, line number, and even the affected code snippet. 38 | 39 | ### Weaknesses 40 | 41 | - Difficult to automate searches for many types of security vulnerabilities, including: 42 | - Authentication problems 43 | - Access control issues 44 | - Insecure use of cryptography 45 | - Current SAST tools are limited. They can automatically identify only a relatively 46 | small percentage of application security flaws. 47 | - High numbers of false positives. 48 | - Frequently unable to find configuration issues, since they are not represented in the code. 49 | - Difficult to 'prove' that an identified security issue is an actual vulnerability. 50 | - Many SAST tools have difficulty analyzing code that can't be compiled. 51 | - Analysts frequently cannot compile code unless they have: 52 | - Correct libraries 53 | - Compilation instructions 54 | - All required code 55 | 56 | ## Important Selection Criteria 57 | 58 | - Prerequisite: Support your programming language. 59 | - Ability to detect vulnerabilities, based on: 60 | - The [OWASP Top Ten](/www-project-top-ten/) 61 | - Other criteria such as: 62 | - [OSSTMM](https://www.isecom.org/OSSTMM.3.pdf) 63 | - [CHECK](https://www.ncsc.gov.uk/information/check-penetration-testing) 64 | - Accuracy: 65 | - False Positive/False Negative rates 66 | - OWASP [Benchmark](/www-project-benchmark/) score 67 | - Ability to understand the libraries/frameworks you need 68 | - Requirement for buildable source code 69 | - Ability to run against binaries (instead of source) 70 | - Availability as a plugin into preferred developer IDEs 71 | - Ease of setup/use 72 | - Ability to include in Continuous Integration/Deployment tools 73 | - License cost (May vary by user, organization, app, or lines of code) 74 | - Interoperability of output: 75 | - See OASIS [SARIF (Static Analysis Results Interchange Format)](https://rawgit.com/sarif-standard/sarif-spec/master/ standard) 76 | 77 | ## Disclaimer 78 | 79 | **The tools listed in the tables below are presented in alphabetical order. *OWASP does not endorse any of the vendors or tools by listing them in the table below.* We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.** 80 | 81 | | Name/Link | Owner | License | Platforms | Note | 82 | |:------------------------------------------------:|:-------------------------------------------:|:-------------------:|:---------------------------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| 83 | | [.NET Security Guard](https://security-code-scan.github.io/) | | Open Source or Free | | .NET, C\#, VB.net | 84 | | 42Crunch | | Commercial | | REST API security platform that includes Security Audit (SAST), dynamic conformance scan, runtime protection, and monitoring. | 85 | | Agnitio | | Open Source or Free | Windows | ASP, ASP.NET, C\#, Java, Javascript, Perl, PHP, Python, Ruby, VB.NET, XML | 86 | | APIsecurity.io Security Audit | | Open Source or Free | | online tool for OpenAPI / Swagger file static security analysis | 87 | | Application Inspector | Positive Technologies | Commercial | | combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. | 88 | | Bandit | | Open Source or Free | | Bandit is a comprehensive source vulnerability scanner for Python | 89 | | Bearer | Bearer | Commercial | SaaS or On-Premises | Map sensitive data flows and identify security risks such as unauthorized data flow, missing encryption, unauthorized access, and more. | 90 | | Beyond Security beSOURCE | Beyond Security | Commercial | | Static application security testing (SAST) used to be divorced from Code quality reviews, resulting in limited impact and value. beSOURCE addresses the code security quality of applications and thus integrates SecOps into DevOps. | 91 | | BlueClosure BC Detect | BlueClosure | Commercial | | Analyzes client-side JavaScript. | 92 | | Brakeman | | Open Source or Free | | Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications | 93 | | bugScout | Nalbatech, Formerly Buguroo | Commercial | | | 94 | | CAST AIP | | Commercial | | Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [AIP's security specific coverage is here](https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards). | 95 | | clj-holmes | clj-holmes | Open Source | Linux and MacOs | A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language. | 96 | | CloudDefense | CloudDefense | Commercial | SaaS or On-Premises | CloudDefense provides holistic threat intelligence across all attack surfaces - Containers, Kubernetes, Code, Open Source Libraries, APIs and more... | 97 | | Codacy | | Commercial | | Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects) | 98 | | CodeScan Cloud | | Commercial | | A Salesforce focused, SaaS code quality tool leveraging SonarQube's OWASP security hotspots to give security visibility on Apex, Visualforce, and Lightning proprietary languages. | 99 | | CodeSonar | | Commercial | | tool that supports C, C++, Java and C\# and maps against the OWASP top 10 vulnerabilities. | 100 | | CodeSonar | | Open Source or Free | | C, C++, Java | 101 | | Codiga | Codiga | Commercial | SaaS or On-Premises | Codiga scans your code and find security, safety, design, performance and maintainability issues in your code at each push or pull request. It integrates with GitHub, GitLab and Bitbucket. | 102 | | CoGuard | Heinle Solutions Inc. | Commercial | SaaS or On-Premises | A SAST tool for infrastructure configuration analysis. Support for common web servers, databases, streaming services, authentication services, container orchestration and Infrastructure-as-Code tools. | 103 | | Contrast Assess | | Commercial | | Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis. | 104 | | Coverity | | Open Source or Free | | Android, C\#, C, C++, Java, JavaScript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.NET | 105 | | Coverity Static Analysis | Synopsys | Commercial | | | 106 | | CxSAST | Checkmarx | Commercial | Saas, or on-premises. Windows and Linux with CI/CD and IDE plugin integration | Run full or incremental source code security scans. Supported languages include Javascript, Java, Apex, PHP, Python, Swift, Scala, Perl, Groovy, Ruby, C++, C#.NET, PL/SQL, VB.NET, ASP.NET, HTML 5, Windows Mobile, Go, and Kotlin. | 107 | | Dawnscanner | | Open Source or Free | | Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby. | 108 | | Deep Dive | | Open Source or Free | | Byte code analysis tool for discovering vulnerabilities in Java deployments (EAR, WAR, JAR). | 109 | | DeepSource | DeepSource Corp. | Commercial | SaaS or On-Premises | DeepSource helps you automatically find and fix issues in your code during code reviews, such as bug risks, anti-patterns, performance issues, and security flaws. It takes less than 5 minutes to set up with your Bitbucket, GitHub, or GitLab account. It works for Python, Go, Ruby, and JavaScript. | 110 | | DerScanner | DerScanner Ltd. | Commercial | | Capable of identifying vulnerabilities and backdoors (undocumented features) in over 30 programming languages by analyzing source code or executables, without requiring debug info. | 111 | | DevBug | | Open Source or Free | Web Based | PHP | 112 | | ECG | VoidSec | Commercial | | SaaS TCL Static Source Code Analysis Tool able to detect real and complex security vulnerabilities in TCL/ADP source-code. Discovered vulnerabilities will be mapped against the OWASP top 10 vulnerabilities. | 113 | | Enlightn | Enlightn Software | Open Source | | Enlightn is a vulnerability scanner specifically designed for Laravel PHP applications that combines SAST, DAST, IAST and configuration analysis techniques to detect vulnerabilities. | 114 | | Find Security Bugs | | Open Source or Free | | Java, Scala, Groovy | 115 | | FindBugs | | Open Source or Free | | Find bugs (including a few security flaws) in Java programs [Legacy - NOT Maintained - Use SpotBugs (see other entry) instead] | 116 | | FindSecBugs | | Open Source or Free | | A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too. | 117 | | Flawfinder | | Open Source or Free | | Scans C and C++. | 118 | | Fluid Attack's Scanner | Fluid Attacks | Open Source | | SAST, DAST and SCA vulnerability detection tool with perfect OWASP Benchmark score. | 119 | | Fortify | Micro Focus | Commercial | Windows, Linux, and MacOSX | Free trial scan available. Supported languages include: ABAP/BSP, ActionScript/MXML (Flex), APEX, ASP.NET, VB.NET, C\# (.NET), C/C++, Classic ASP (w/VBScript), COBOL, ColdFusion CFML, Go, HTML, Java (including Android), JavaScript/AJAX, JSP, Kotlin, Objective-C, PHP, PL/SQL, Python, Typescript, T-SQL, Ruby, Scala, Swift, Visual Basic (VB.NET), Visual Basic 6, VBScript, XML | 120 | | GitGuardian — Automated Secrets Detection | | Commercial | SaaS or On-Premises | Secure your software development with automated secrets detection & remediation for private or public source code. | 121 | | GitHub Advanced Security | GitHub | Open Source or Free | SaaS or On-Premises | GitHub Advanced Security uses CodeQL for Static Code Analysis, and GitHub Secret Scanning for identifying tokens. GitHub code scanning can import SARIF from any other SAST tool | 122 | | GitLab | GitLab | Commercial | SaaS, Linux, Windows | | 123 | | GolangCI-Lint | | Open Source or Free | | A Go Linters aggregator - One of the Linters is [gosec (Go Security)](https://github.com/securego/gosec), which is off by default but can easily be enabled. | 124 | | Google CodeSearchDiggity | | Open Source or Free | | Uses Google Code Search to identify vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. *Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.* | 125 | | Graudit | | Open Source or Free | Linux | Scans multiple languages for various security flaws. Basically security enhanced code Grep. | 126 | | HCL AppScan CodeSweep - GitHub Action | HCL Software | Open Source or Free | | Scan the new code on a push/pull request using a GitHub action. Findings are highlighted in the `Files Changed` view and details about the issue and mitigation steps can be found in the `Actions` page. Unrestricted usage allowed with a free trial account. The tool currently supports Python, Ruby, JS (Vue, React, Node, Angular, JQuery, etc), PHP, Perl, COBOL, APEX & a few more. | 127 | | HCL AppScan CodeSweep - VS Code | HCL Software | Open Source or Free | | This is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more. | 128 | | HCL AppScan on Cloud | HCL Software | Open Source or Free | | Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, Kotlin, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Swift, Visual Basic 6 | 129 | | HCL AppScan Source | HCL Software | Commercial | | Android, Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Visual Basic 6 | 130 | | Hdiv Detection | Hdiv Security | Commercial | | Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis. | 131 | | Horusec | | Open Source or Free | | Python(3.x), Ruby, Javascript, GoLang, .NetCore(3.x), Java, Kotlin, Terraform | 132 | | HuskyCI | | Open Source or Free | | HuskyCI is an open-source tool that orchestrates security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. HuskyCI can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java(SpotBugs plus Find Sec Bugs) | 133 | | Insider CLI | InsiderSec | Open Source or Free | | A open source Static Application Security Testing tool (SAST) written in GoLang for Java Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js). | 134 | | Kiuwan | a division of Idera, Inc. | Commercial | | provides an application security testing and analytics platform – including SAST and SCA solutions – that reduces risk and improves change management and DevOps processes | 135 | | Klocwork | Perforce | Commercial | | Static Code Analysis for C, C++, C#, and Java | 136 | | Klocwork | | Open Source or Free | | C, C++, C\#, Java | 137 | | Kroogal | | Commercial | | C, C++ | 138 | | LGTM | | Open Source or Free | | A free for open source static analysis service that automatically monitors commits to publicly accessible code in Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C\#, Go, Java, JavaScript/TypeScript, Python. | 139 | | Microsoft FxCop | | Open Source or Free | | .NET | 140 | | Microsoft PREFast | | Open Source or Free | | C, C++ | 141 | | MobSF | | Open Source or Free | | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. | 142 | | MobSF | | Open Source or Free | Windows, Unix | Android Java, Objective C, Swift | 143 | | NextGen Static Analysis | ShiftLeft | Commercial | SaaS | Free version available. Currently supports Java, JavaScript, C\#, TypeScript, Python, and Terraform. Create your free account at https://shiftleft.io/register. | 144 | | nodejsscan | | Open Source or Free | Unix | Node.js | 145 | | Nucleaus Core | Nucleaus | Commercial | SaaS | Scans Git repos daily and provides a web-based dashboard to track code and dependency vulnerabilities. Handles team-based access patterns, vulnerability exception lifecycle, and is built on API first principles. | 146 | | Offensive360 | | Commercial | | SAST technology that attacks the source code from all corners it has all in one. Malware, SCA, License, and deep source code analysis. | 147 | | Oversecured | Oversecured Inc | Commercial | iOS, Android | Enterprise vulnerability scanner for Android and iOS apps. It offers app owners and developers the ability to secure each new version of a mobile app by integrating Oversecured into the development process. | 148 | | OWASP ASST (Automated Software Security Toolkit) | Tarik Seyceri & OWASP | Open Source or Free | Ubuntu, MacOSX and Windows | An Open Source, Source Code Scanning Tool, developed with JavaScript (Node.js framework), Scans for PHP & MySQL Security Vulnerabilities According to OWASP Top 10 and Some other OWASP's famous vulnerabilities, and it teaches developers of how to secure their codes after scan. | 149 | | OWASP Code Crawler | OWASP | Open Source | | .NET, Java | 150 | | OWASP LAPSE Project | OWASP | Open Source | | Java | 151 | | OWASP Orizon Project | OWASP | Open Source | | Java | 152 | | OWASP WAP (Web Application Protection) | OWASP | Open Source | | PHP | 153 | | ParaSoft | | Open Source or Free | | C, C++, Java, .NET | 154 | | Parasoft Test | Parasoft | Commercial | | Test tools for C/C++, .NET, Java | 155 | | phpcs-security-audit | | Open Source or Free | | A set of PHP_CodeSniffer rules to finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules. | 156 | | PITSS.CON | PITTS | Commercial | | Scans Oracle Forms and Reports Applications | 157 | | PMD | | Open Source or Free | | PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues). | 158 | | Polyspace Static Analysis | | Open Source or Free | | C, C++, Ada | 159 | | PreFast | Microsoft | Open Source or Free | | PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006. | 160 | | Progpilot | | Open Source or Free | | Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection. | 161 | | Psalm | Vimeo, Inc. | Open Source | | Static code analysis for PHP projects, written in PHP. | 162 | | PT Application Inspector | Positive Technologies | Commercial | | Combines SAST, DAST, IAST, SCA, configuration analysis and other technologies for high accuracy. Can generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis. Supports Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. | 163 | | Puma Scan | Puma Security | Commercial | | A .NET C\# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable. | 164 | | Puma Scan Professional | | Open Source or Free | | .NET, C\# | 165 | | PVS-Studio | | Open Source or Free | | C, C++, C\# | 166 | | PVS-Studio Analyzer | PVS-Studio | Commercial | | Static code security analysis for C, C++, C#, and Java. A commercial B2B solution, but provides several free [licensing options](https://www.viva64.com/en/b/0614/). | 167 | | Pyre | | Open Source or Free | | A performant type-checker for Python 3, that also has [limited security/data flow analysis](https://pyre-check.org/docs/pysa-basics.html) capabilities. | 168 | | reshift | | Commercial | | A CI/CD static code security analysis tool for Java that uses machine learning to give a prediction on false positives. | 169 | | RIPS Code Analysis | RIPS Technologies - Acquired by SonarSource | Commercial | | Static security analyzer for Java and PHP. | 170 | | ScanMyCode CE (Community Edition) | Marcin Kozlowski | Open Source | | Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report. Currently supports: PHP, Java, Scala, Python, Ruby, Javascript, GO, Secret Scanning, Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 1000 checks). Supports also Differential analysis. Goal is to have one report using many tools/scanners | 171 | | SecureAssist | Synopsys | Commercial | | Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio, etc. Supports Java, .NET, PHP, and JavaScript. | 172 | | Security Code Scan | | Open Source or Free | | Static code analyzer for .NET. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more. | 173 | | Seeker | Synopsys | Commercial | | Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis. | 174 | | Semgrep | | Open Source or Free | | Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. No compilation needed to scan source code. Supports Go, Java, JavaScript, JSON,Python, TypeScript, and more. | 175 | | Sentinel Source | Whitehat | Commercial | | Static security analysis for 10+ languages. | 176 | | ShiftLeft Scan | | Open Source or Free | | A free open-source DevSecOps platform for detecting security issues in source ode and dependencies. It supports a broad range of languages and CI/CD pipelines by bundling various open source scanners into the pipeline. | 177 | | Sink Tank | | Open Source or Free | | Java byte code static code analyzer for performing source/sink (taint) analysis. | 178 | | Snyk | Snyk Limited | Commercial or Free | SaaS, IDE Plugin | Find, learn and fix vulnerabilities in open source dependencies, in your application code, in container images or insecure configurations in Terraform and Kubernetes. | 179 | | SonarCloud | | Open Source or Free | | ABAP, C, C++, Objective-C, COBOL, C\#, CSS, Flex, Go, HTML, Java, Javascript, Kotlin, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Swift, T-SQL, TypeScript, VB6, VB, XML | 180 | | SonarQube | | Open Source or Free | | Scans source code for 15 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [SonarLint](https://www.sonarlint.org/). | 181 | | Spectral | SpectralOps | Open Source or Free | Multi-platform & Multi-architecture. Linux/Windows/MacOSx/*nix. Programming-language agnostic | Discover, classify, and protect your codebases, logs, and other assets. Monitor and detect API keys, tokens, credentials, high-risk security misconfiguration and more. | 182 | | Splint | | Open Source or Free | | C | 183 | | SpotBugs | | Open Source or Free | | Java. This is the active fork replacement for FindBugs, which is not maintained anymore. Very little security. FindSecBugs plugin provides security rules. | 184 | | Static Reviewer | Security Reviewer | Commercial | Windows and Linux; on-Premises and in Cloud; Desktop, CLI and CI/CD & IDE plugin integration | Static Reviewer executes code checks according to the most relevant Secure Coding Standards for 40+ programming languages, using 1000+ built-in validation rules. | 185 | | Thunderscan SAST | DefenseCode | Commercial | | Static security analysis for 27+ languages. | 186 | | Veracode | | Open Source or Free | | Android, ASP.NET, C\#, C, C++, Classic ASP, COBOL, ColdFusion/Java, Go, Groovy, iOS, Java, JavaScript, Perl, PhoneGap/Cordova, PHP, Python, React Native, RPG, Ruby on Rails, Scala, Titanium, TypeScript, VB.NET, Visual Basic 6, Xamarin | 187 | | Veracode Static Analysis | Veracode | Commercial | | | 188 | | VisualCodeGrepper | | Open Source or Free | Windows | C/C++, C\#, VB, PHP, Java, PL/SQL | 189 | | VisualCodeGrepper (VCG) | | Open Source or Free | | Scans C/C++, C\#, VB, PHP, Java, PL/SQL, and COBOL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues. | 190 | | VS Code OpenAPI (Swagger) Editor extension | | Open Source or Free | | Plugin to Microsoft Visual Studio Code that enables rich editing capabilities for REST API contracts and also includes linting and Security Audit (static security analysis). | 191 | | Xanitizer | Xanitizer | Commercial | CLI and plugin integration | A SAST tool for Java, Scala, and JavaScript/TypeScript, mainly via taint analysis. Per this pricing page, it is free for Open Source projects if you contact the vendor. | 192 | 193 | ## More info 194 | 195 | - [NIST's list of Source Code Security Analysis Tools](https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html). 196 | - [DAST Tools](/www-community/Vulnerability_Scanning_Tools) - Similar info on Dynamic Application Security Testing (DAST) Tools. 197 | - [Free for Open Source Application Security Tools](/www-community/Free_for_Open_Source_Application_Security_Tools) - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source. 198 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Static Application Security Testing (SAST): Theory, Techniques, and Tools 2 | 3 | An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Static Application Security Testing (SAST) Tools. 4 | > Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources. 5 | 6 | ## `About Static Application Security Testing (DAST)` 7 | 8 | 9 | 10 | 11 | 12 | [Source code analysis](https://owasp.org/www-community/controls/Static_Code_Analysis) tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. 13 | 14 | SAST tools can be added into your IDE. Such tools can help you detect issues during software development. 15 | SAST tool feedback can save time and effort, especially when compared to finding vulnerabilities later in the development cycle. 16 | 17 | ## `Strengths and Weaknesses` 18 | 19 | ### `Strengths` 20 | 21 | - Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration). 22 | - Identifies certain well-known vulnerabilities, such as: 23 | - Buffer overflows 24 | - SQL injection flaws 25 | - Output helps developers, as SAST tools highlight the problematic code, by filename, 26 | location, line number, and even the affected code snippet. 27 | 28 | ### `Weaknesses` 29 | 30 | - Difficult to automate searches for many types of security vulnerabilities, including: 31 | - Authentication problems 32 | - Access control issues 33 | - Insecure use of cryptography 34 | - Current SAST tools are limited. They can automatically identify only a relatively 35 | small percentage of application security flaws. 36 | - High numbers of false positives. 37 | - Frequently unable to find configuration issues, since they are not represented in the code. 38 | - Difficult to 'prove' that an identified security issue is an actual vulnerability. 39 | - Many SAST tools have difficulty analyzing code that can't be compiled. 40 | - Analysts frequently cannot compile code unless they have: 41 | - Correct libraries 42 | - Compilation instructions 43 | - All required code 44 | 45 | ## `Important Selection Criteria` 46 | 47 | - Prerequisite: Support your programming language. 48 | - Ability to detect vulnerabilities, based on: 49 | - The [OWASP Top Ten](/www-project-top-ten/) 50 | - Other criteria such as: 51 | - [OSSTMM](https://www.isecom.org/OSSTMM.3.pdf) 52 | - [CHECK](https://www.ncsc.gov.uk/information/check-penetration-testing) 53 | - Accuracy: 54 | - False Positive/False Negative rates 55 | - OWASP [Benchmark](/www-project-benchmark/) score 56 | - Ability to understand the libraries/frameworks you need 57 | - Requirement for buildable source code 58 | - Ability to run against binaries (instead of source) 59 | - Availability as a plugin into preferred developer IDEs 60 | - Ease of setup/use 61 | - Ability to include in Continuous Integration/Deployment tools 62 | - License cost (May vary by user, organization, app, or lines of code) 63 | - Interoperability of output: 64 | - See OASIS [SARIF (Static Analysis Results Interchange Format)](https://rawgit.com/sarif-standard/sarif-spec/master/ standard) 65 | 66 | ## Disclaimer 67 | 68 | **The tools listed in the tables below are presented in alphabetical order. *OWASP does not endorse any of the vendors or tools by listing them in the table below.* We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.** 69 | 70 | | Name/Link | Owner | License | Platforms | Note | 71 | |:------------------------------------------------:|:-------------------------------------------:|:-------------------:|:---------------------------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| 72 | | [.NET Security Guard](https://security-code-scan.github.io/) | | Open Source or Free | | .NET, C\#, VB.net | 73 | | [42Crunch](https://42crunch.com/) | | Commercial | | REST API security platform that includes Security Audit (SAST), dynamic conformance scan, runtime protection, and monitoring. | 74 | | Agnitio | | Open Source or Free | Windows | ASP, ASP.NET, C\#, Java, Javascript, Perl, PHP, Python, Ruby, VB.NET, XML | 75 | | APIsecurity.io Security Audit | | Open Source or Free | | online tool for OpenAPI / Swagger file static security analysis | 76 | | Application Inspector | Positive Technologies | Commercial | | combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. | 77 | | Bandit | | Open Source or Free | | Bandit is a comprehensive source vulnerability scanner for Python | 78 | | Bearer | Bearer | Commercial | SaaS or On-Premises | Map sensitive data flows and identify security risks such as unauthorized data flow, missing encryption, unauthorized access, and more. | 79 | | Beyond Security beSOURCE | Beyond Security | Commercial | | Static application security testing (SAST) used to be divorced from Code quality reviews, resulting in limited impact and value. beSOURCE addresses the code security quality of applications and thus integrates SecOps into DevOps. | 80 | | BlueClosure BC Detect | BlueClosure | Commercial | | Analyzes client-side JavaScript. | 81 | | Brakeman | | Open Source or Free | | Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications | 82 | | bugScout | Nalbatech, Formerly Buguroo | Commercial | | | 83 | | CAST AIP | | Commercial | | Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [AIP's security specific coverage is here](https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards). | 84 | | clj-holmes | clj-holmes | Open Source | Linux and MacOs | A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language. | 85 | | CloudDefense | CloudDefense | Commercial | SaaS or On-Premises | CloudDefense provides holistic threat intelligence across all attack surfaces - Containers, Kubernetes, Code, Open Source Libraries, APIs and more... | 86 | | Codacy | | Commercial | | Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects) | 87 | | CodeScan Cloud | | Commercial | | A Salesforce focused, SaaS code quality tool leveraging SonarQube's OWASP security hotspots to give security visibility on Apex, Visualforce, and Lightning proprietary languages. | 88 | | CodeSonar | | Commercial | | tool that supports C, C++, Java and C\# and maps against the OWASP top 10 vulnerabilities. | 89 | | CodeSonar | | Open Source or Free | | C, C++, Java | 90 | | Codiga | Codiga | Commercial | SaaS or On-Premises | Codiga scans your code and find security, safety, design, performance and maintainability issues in your code at each push or pull request. It integrates with GitHub, GitLab and Bitbucket. | 91 | | CoGuard | Heinle Solutions Inc. | Commercial | SaaS or On-Premises | A SAST tool for infrastructure configuration analysis. Support for common web servers, databases, streaming services, authentication services, container orchestration and Infrastructure-as-Code tools. | 92 | | Contrast Assess | | Commercial | | Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis. | 93 | | Coverity | | Open Source or Free | | Android, C\#, C, C++, Java, JavaScript, Node.js, Objective-C, PHP, Python, Ruby, Scala, Swift, VB.NET | 94 | | Coverity Static Analysis | Synopsys | Commercial | | | 95 | | CxSAST | Checkmarx | Commercial | Saas, or on-premises. Windows and Linux with CI/CD and IDE plugin integration | Run full or incremental source code security scans. Supported languages include Javascript, Java, Apex, PHP, Python, Swift, Scala, Perl, Groovy, Ruby, C++, C#.NET, PL/SQL, VB.NET, ASP.NET, HTML 5, Windows Mobile, Go, and Kotlin. | 96 | | Dawnscanner | | Open Source or Free | | Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby. | 97 | | Deep Dive | | Open Source or Free | | Byte code analysis tool for discovering vulnerabilities in Java deployments (EAR, WAR, JAR). | 98 | | DeepSource | DeepSource Corp. | Commercial | SaaS or On-Premises | DeepSource helps you automatically find and fix issues in your code during code reviews, such as bug risks, anti-patterns, performance issues, and security flaws. It takes less than 5 minutes to set up with your Bitbucket, GitHub, or GitLab account. It works for Python, Go, Ruby, and JavaScript. | 99 | | DerScanner | DerScanner Ltd. | Commercial | | Capable of identifying vulnerabilities and backdoors (undocumented features) in over 30 programming languages by analyzing source code or executables, without requiring debug info. | 100 | | DevBug | | Open Source or Free | Web Based | PHP | 101 | | ECG | VoidSec | Commercial | | SaaS TCL Static Source Code Analysis Tool able to detect real and complex security vulnerabilities in TCL/ADP source-code. Discovered vulnerabilities will be mapped against the OWASP top 10 vulnerabilities. | 102 | | Enlightn | Enlightn Software | Open Source | | Enlightn is a vulnerability scanner specifically designed for Laravel PHP applications that combines SAST, DAST, IAST and configuration analysis techniques to detect vulnerabilities. | 103 | | Find Security Bugs | | Open Source or Free | | Java, Scala, Groovy | 104 | | FindBugs | | Open Source or Free | | Find bugs (including a few security flaws) in Java programs [Legacy - NOT Maintained - Use SpotBugs (see other entry) instead] | 105 | | FindSecBugs | | Open Source or Free | | A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too. | 106 | | Flawfinder | | Open Source or Free | | Scans C and C++. | 107 | | Fluid Attack's Scanner | Fluid Attacks | Open Source | | SAST, DAST and SCA vulnerability detection tool with perfect OWASP Benchmark score. | 108 | | Fortify | Micro Focus | Commercial | Windows, Linux, and MacOSX | Free trial scan available. Supported languages include: ABAP/BSP, ActionScript/MXML (Flex), APEX, ASP.NET, VB.NET, C\# (.NET), C/C++, Classic ASP (w/VBScript), COBOL, ColdFusion CFML, Go, HTML, Java (including Android), JavaScript/AJAX, JSP, Kotlin, Objective-C, PHP, PL/SQL, Python, Typescript, T-SQL, Ruby, Scala, Swift, Visual Basic (VB.NET), Visual Basic 6, VBScript, XML | 109 | | GitGuardian — Automated Secrets Detection | | Commercial | SaaS or On-Premises | Secure your software development with automated secrets detection & remediation for private or public source code. | 110 | | GitHub Advanced Security | GitHub | Open Source or Free | SaaS or On-Premises | GitHub Advanced Security uses CodeQL for Static Code Analysis, and GitHub Secret Scanning for identifying tokens. GitHub code scanning can import SARIF from any other SAST tool | 111 | | GitLab | GitLab | Commercial | SaaS, Linux, Windows | | 112 | | GolangCI-Lint | | Open Source or Free | | A Go Linters aggregator - One of the Linters is [gosec (Go Security)](https://github.com/securego/gosec), which is off by default but can easily be enabled. | 113 | | Google CodeSearchDiggity | | Open Source or Free | | Uses Google Code Search to identify vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. *Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.* | 114 | | Graudit | | Open Source or Free | Linux | Scans multiple languages for various security flaws. Basically security enhanced code Grep. | 115 | | HCL AppScan CodeSweep - GitHub Action | HCL Software | Open Source or Free | | Scan the new code on a push/pull request using a GitHub action. Findings are highlighted in the `Files Changed` view and details about the issue and mitigation steps can be found in the `Actions` page. Unrestricted usage allowed with a free trial account. The tool currently supports Python, Ruby, JS (Vue, React, Node, Angular, JQuery, etc), PHP, Perl, COBOL, APEX & a few more. | 116 | | HCL AppScan CodeSweep - VS Code | HCL Software | Open Source or Free | | This is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more. | 117 | | HCL AppScan on Cloud | HCL Software | Open Source or Free | | Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, Kotlin, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Swift, Visual Basic 6 | 118 | | HCL AppScan Source | HCL Software | Commercial | | Android, Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Visual Basic 6 | 119 | | Hdiv Detection | Hdiv Security | Commercial | | Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis. | 120 | | Horusec | | Open Source or Free | | Python(3.x), Ruby, Javascript, GoLang, .NetCore(3.x), Java, Kotlin, Terraform | 121 | | HuskyCI | | Open Source or Free | | HuskyCI is an open-source tool that orchestrates security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. HuskyCI can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java(SpotBugs plus Find Sec Bugs) | 122 | | Insider CLI | InsiderSec | Open Source or Free | | A open source Static Application Security Testing tool (SAST) written in GoLang for Java Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js). | 123 | | Kiuwan | a division of Idera, Inc. | Commercial | | provides an application security testing and analytics platform – including SAST and SCA solutions – that reduces risk and improves change management and DevOps processes | 124 | | Klocwork | Perforce | Commercial | | Static Code Analysis for C, C++, C#, and Java | 125 | | Klocwork | | Open Source or Free | | C, C++, C\#, Java | 126 | | Kroogal | | Commercial | | C, C++ | 127 | | LGTM | | Open Source or Free | | A free for open source static analysis service that automatically monitors commits to publicly accessible code in Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C\#, Go, Java, JavaScript/TypeScript, Python. | 128 | | Microsoft FxCop | | Open Source or Free | | .NET | 129 | | Microsoft PREFast | | Open Source or Free | | C, C++ | 130 | | MobSF | | Open Source or Free | | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. | 131 | | MobSF | | Open Source or Free | Windows, Unix | Android Java, Objective C, Swift | 132 | | NextGen Static Analysis | ShiftLeft | Commercial | SaaS | Free version available. Currently supports Java, JavaScript, C\#, TypeScript, Python, and Terraform. Create your free account at https://shiftleft.io/register. | 133 | | nodejsscan | | Open Source or Free | Unix | Node.js | 134 | | Nucleaus Core | Nucleaus | Commercial | SaaS | Scans Git repos daily and provides a web-based dashboard to track code and dependency vulnerabilities. Handles team-based access patterns, vulnerability exception lifecycle, and is built on API first principles. | 135 | | Offensive360 | | Commercial | | SAST technology that attacks the source code from all corners it has all in one. Malware, SCA, License, and deep source code analysis. | 136 | | Oversecured | Oversecured Inc | Commercial | iOS, Android | Enterprise vulnerability scanner for Android and iOS apps. It offers app owners and developers the ability to secure each new version of a mobile app by integrating Oversecured into the development process. | 137 | | OWASP ASST (Automated Software Security Toolkit) | Tarik Seyceri & OWASP | Open Source or Free | Ubuntu, MacOSX and Windows | An Open Source, Source Code Scanning Tool, developed with JavaScript (Node.js framework), Scans for PHP & MySQL Security Vulnerabilities According to OWASP Top 10 and Some other OWASP's famous vulnerabilities, and it teaches developers of how to secure their codes after scan. | 138 | | OWASP Code Crawler | OWASP | Open Source | | .NET, Java | 139 | | OWASP LAPSE Project | OWASP | Open Source | | Java | 140 | | OWASP Orizon Project | OWASP | Open Source | | Java | 141 | | OWASP WAP (Web Application Protection) | OWASP | Open Source | | PHP | 142 | | ParaSoft | | Open Source or Free | | C, C++, Java, .NET | 143 | | Parasoft Test | Parasoft | Commercial | | Test tools for C/C++, .NET, Java | 144 | | phpcs-security-audit | | Open Source or Free | | A set of PHP_CodeSniffer rules to finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules. | 145 | | PITSS.CON | PITTS | Commercial | | Scans Oracle Forms and Reports Applications | 146 | | PMD | | Open Source or Free | | PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues). | 147 | | Polyspace Static Analysis | | Open Source or Free | | C, C++, Ada | 148 | | PreFast | Microsoft | Open Source or Free | | PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006. | 149 | | Progpilot | | Open Source or Free | | Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection. | 150 | | Psalm | Vimeo, Inc. | Open Source | | Static code analysis for PHP projects, written in PHP. | 151 | | PT Application Inspector | Positive Technologies | Commercial | | Combines SAST, DAST, IAST, SCA, configuration analysis and other technologies for high accuracy. Can generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis. Supports Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others. | 152 | | Puma Scan | Puma Security | Commercial | | A .NET C\# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable. | 153 | | Puma Scan Professional | | Open Source or Free | | .NET, C\# | 154 | | PVS-Studio | | Open Source or Free | | C, C++, C\# | 155 | | PVS-Studio Analyzer | PVS-Studio | Commercial | | Static code security analysis for C, C++, C#, and Java. A commercial B2B solution, but provides several free [licensing options](https://www.viva64.com/en/b/0614/). | 156 | | Pyre | | Open Source or Free | | A performant type-checker for Python 3, that also has [limited security/data flow analysis](https://pyre-check.org/docs/pysa-basics.html) capabilities. | 157 | | reshift | | Commercial | | A CI/CD static code security analysis tool for Java that uses machine learning to give a prediction on false positives. | 158 | | RIPS Code Analysis | RIPS Technologies - Acquired by SonarSource | Commercial | | Static security analyzer for Java and PHP. | 159 | | ScanMyCode CE (Community Edition) | Marcin Kozlowski | Open Source | | Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report. Currently supports: PHP, Java, Scala, Python, Ruby, Javascript, GO, Secret Scanning, Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 1000 checks). Supports also Differential analysis. Goal is to have one report using many tools/scanners | 160 | | SecureAssist | Synopsys | Commercial | | Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio, etc. Supports Java, .NET, PHP, and JavaScript. | 161 | | Security Code Scan | | Open Source or Free | | Static code analyzer for .NET. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more. | 162 | | Seeker | Synopsys | Commercial | | Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis. | 163 | | Semgrep | | Open Source or Free | | Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. No compilation needed to scan source code. Supports Go, Java, JavaScript, JSON,Python, TypeScript, and more. | 164 | | Sentinel Source | Whitehat | Commercial | | Static security analysis for 10+ languages. | 165 | | ShiftLeft Scan | | Open Source or Free | | A free open-source DevSecOps platform for detecting security issues in source ode and dependencies. It supports a broad range of languages and CI/CD pipelines by bundling various open source scanners into the pipeline. | 166 | | Sink Tank | | Open Source or Free | | Java byte code static code analyzer for performing source/sink (taint) analysis. | 167 | | Snyk | Snyk Limited | Commercial or Free | SaaS, IDE Plugin | Find, learn and fix vulnerabilities in open source dependencies, in your application code, in container images or insecure configurations in Terraform and Kubernetes. | 168 | | SonarCloud | | Open Source or Free | | ABAP, C, C++, Objective-C, COBOL, C\#, CSS, Flex, Go, HTML, Java, Javascript, Kotlin, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Swift, T-SQL, TypeScript, VB6, VB, XML | 169 | | SonarQube | | Open Source or Free | | Scans source code for 15 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [SonarLint](https://www.sonarlint.org/). | 170 | | Spectral | SpectralOps | Open Source or Free | Multi-platform & Multi-architecture. Linux/Windows/MacOSx/*nix. Programming-language agnostic | Discover, classify, and protect your codebases, logs, and other assets. Monitor and detect API keys, tokens, credentials, high-risk security misconfiguration and more. | 171 | | Splint | | Open Source or Free | | C | 172 | | SpotBugs | | Open Source or Free | | Java. This is the active fork replacement for FindBugs, which is not maintained anymore. Very little security. FindSecBugs plugin provides security rules. | 173 | | Static Reviewer | Security Reviewer | Commercial | Windows and Linux; on-Premises and in Cloud; Desktop, CLI and CI/CD & IDE plugin integration | Static Reviewer executes code checks according to the most relevant Secure Coding Standards for 40+ programming languages, using 1000+ built-in validation rules. | 174 | | Thunderscan SAST | DefenseCode | Commercial | | Static security analysis for 27+ languages. | 175 | | Veracode | | Open Source or Free | | Android, ASP.NET, C\#, C, C++, Classic ASP, COBOL, ColdFusion/Java, Go, Groovy, iOS, Java, JavaScript, Perl, PhoneGap/Cordova, PHP, Python, React Native, RPG, Ruby on Rails, Scala, Titanium, TypeScript, VB.NET, Visual Basic 6, Xamarin | 176 | | Veracode Static Analysis | Veracode | Commercial | | | 177 | | VisualCodeGrepper | | Open Source or Free | Windows | C/C++, C\#, VB, PHP, Java, PL/SQL | 178 | | VisualCodeGrepper (VCG) | | Open Source or Free | | Scans C/C++, C\#, VB, PHP, Java, PL/SQL, and COBOL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues. | 179 | | VS Code OpenAPI (Swagger) Editor extension | | Open Source or Free | | Plugin to Microsoft Visual Studio Code that enables rich editing capabilities for REST API contracts and also includes linting and Security Audit (static security analysis). | 180 | | Xanitizer | Xanitizer | Commercial | CLI and plugin integration | A SAST tool for Java, Scala, and JavaScript/TypeScript, mainly via taint analysis. Per this pricing page, it is free for Open Source projects if you contact the vendor. | 181 | 182 | 183 | contributors: 184 | - Dave Wichers, itamarlavender, will-obrien, Eitan Worcel, Prabhu Subramanian, kingthorin, coadaflorin, hblankenship, GovorovViva64, pfhorman, GouveaHeitor, Clint Gibler, DSotnikov, Ajin Abraham, Noam Rathaus, Mike Jang 185 | tags: source code analysis, static code analysis, tools 186 | permalink: /Source_Code_Analysis_Tool 187 | 188 | 189 | ## More info 190 | 191 | - [NIST's list of Source Code Security Analysis Tools](https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html). 192 | - [DAST Tools](/www-community/Vulnerability_Scanning_Tools) - Similar info on Dynamic Application Security Testing (DAST) Tools. 193 | - [Free for Open Source Application Security Tools](/www-community/Free_for_Open_Source_Application_Security_Tools) - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source. 194 | 195 | - **[`^ back to top ^`](#)** 196 | 197 | ## License 198 | MIT License & [cc](https://creativecommons.org/licenses/by/4.0/) license 199 | 200 | Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License. 201 | 202 | To the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work. 203 | The underlying source code used to format and display that content is licensed under the MIT licens 204 | --------------------------------------------------------------------------------