Static Analysis
Perform static analysis on your code with these awesome tools
Last updated
Was this helpful?
Perform static analysis on your code with these awesome tools
Last updated
Was this helpful?
Static code analysis addresses weakness in source code, vulnerabilities and others by using a tool (or set of tools) which performs an analysis of a set of source code against a set of coding rules (or advisories, known vulnerabilities...).
GitHub includes several features/products/solutions regarding static analysis of your projects and others related to security.
Free plan for OSS projects or public projects (on GitHub.com).
Other paid plans for teams and enterprise (extra security features under an Advanced Security license).
More info: https://docs.github.com/en/billing
GitHub Advanced Security: GitHub makes extra security features available to customers under an Advanced Security license :
Code scanning for private repository
Secret scanning for private repository
Dependency review for private repository
Code security: build security into your GitHub workflow with features to keep secrets and vulnerabilities out of your codebase, and to maintain your software supply chain .
Supply chain security: visualize, maintain, and secure the dependencies in your software supply chain .
Security advisories: improving collaboration between repository maintainers and security researchers .
Dependabot: monitor vulnerabilities in dependencies used in your project and keep your dependencies up-to-date with Dependabot .
Code scanning: using code scanning to identify and fix potential security vulnerabilities and other errors in your code .
Secret scanning: ensuring that tokens, private keys, and other code secrets are not exposed in your repository .
Official page: https://snyk.io/
Snyk is a well-known "developer security company" that provides lots of solutions. They define Snyk as a developer security platform.
Free limited plan
Other paid plans for teams and enterprise
More info: https://snyk.io/plans/
Snyk Code (SAST): static application security testing (vulnerabilites, advices...).
Snyk Open Source (SCA): open source risk management (vulnerabilities, license complience, reporting and others).
Snyk Container: container and Kubernetes security (vulnerabilities, dependencies and others).
Snyk Infrastructure as Code: secure IaC configurations, rules, custom policies, surfacing of unmanaged and drifted resources.
Snyk Cloud: secure operations in the cloud at every stage of the lifecycle.
Official page: https://snyk.io/
Veracode offers intelligent software security to continuously find and fix flaws at every stage of the modern software development lifecycle.
Demo must be requested...
More info: https://www.veracode.com/contact-us
Other solutions/products & services can be found in the official page.
Official page: https://www.veracode.com/
Automatic code review, which includes security management. The tool is capable of identifying multiple security hotspots, make security-related rules and others.
Free plan for coding ("Free sonar"), analyze your code in real time with IDE integration
Other paid plans for developer, teams and enterprise (self-managed and as a service)
More info: https://www.sonarsource.com/plans-and-pricing/#sonarqube
SonarLint: IDE code analysis integrations.
SonarQube: self-hosted, self-managed code analysis.
SonarCloud: "as a service" cloud-based code analysis.
Official page: https://www.sonarsource.com/
Open source security scanner. Finds vulnerabilities & IaC misconfigurations, SBOM discovery, cloud scannning, k8s security risks and more.
Free
AIO tool with multiple scanners:
OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses
Targets:
Container image
Filesystem
Git Repository (remote)
Virtual Machine Image
K8s
AWS
Official page: https://trivy.dev/
Protect multicloud and hybrid environments with integrated security from code to cloud.
Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multicloud and hybrid environments.
AIO tool with multiple capabilities:
Unified visibility of your security posture across Azure, AWS, Google Cloud, and hybrid clouds
Real-time security access and prioritization of the most critical risks with context-aware cloud security
Integrated extended detection and response (XDR) solution across multicloud workloads to prevent, detect, and respond to attacks
Centralized insights across multipipeline and multicloud DevOps to improve application development security
Targets:
Containers
Container images
Databases
Storage
VMs
App Services (and other Azure services)
IaC
Source Code (scanning for CWE, dependencies, secrets and IaC)
Git repositories
Cloud resources running in AWS, Azure and Google Cloud
Official page: https://azure.microsoft.com/en-us/products/defender-for-cloud/
A simple and powerful DevSecOps software to automate thousands of checks and eliminate human errors in Source Code and Cloud Infrastructure. Integrateable into anything.
Free - Community Edition (Starter Plan)
Other plans professional (for single developer) and business (on request)
AIO tool with multiple scanners:
Compatible with many programming languages (a lot)
DeFi Security (DeFi exploits)
Infrastructure as a Code (IaC)
Security and Best Practices (Docker, Kubernetes (k8s), Terraform AWS, GCP, Azure)
Secret Scanning (166+ secret types)
YARA rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware, Webshells, APTs, Dependency Confusion, Trojan Source
Open Source and Proprietary Checks, SBOM, dependencies, also precise Graph based analysis and AI/OpenAI GPT
SCA (software composition analysis) and Supply Chain Risks
Practically any Open Source and proprietary check can be added
Targets:
Container images
K8s
IaC
Source Code
Git repositories
Cloud platforms
Official page: https://www.betterscan.io/
See Containers.
: Secure Code From the Start.
: Secure Your Software Supply Chain.
: Integrate container security seamlessly into your existing pipeline.
: Catch Elusive Vulnerabilities, Meet Compliance, and Deliver Secure Applications.
You can deploy a self-hosted sonarqube instance in your own machine with its in minutes and scan your code
Getting started is easy with this one! for getting the software and running it.
with $200 credit to use within 30 days
See
Getting started is easy with this one too! See the for getting the software and running it.
Checkout (AnalysisTools) that compares the best static analysis tools and linters too.
(): SQL powered operating system instrumentation, monitoring, and analytics.
(): a DevSecOps and vulnerability management tool.
(): a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define.
: grep rough audit - source code auditing tool.
: security-focused static analysis for the Phoenix Framework.
: fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
Google (): continuous fuzzing for open source software.
Greenbone : a full-featured vulnerability scanner.
()
: a tool to run security tools and track security bugs easily.
(): an extensible multilanguage static code analyzer.
(): lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
: The world’s most widely used web app scanner. Free and open source.
(): a powerful open-source XSS scanner and utility focused on automation.
(): a web server based on the notorious NGINX and focused on security.
: CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks.
: validate CSP in headers and meta elements & validate and merge using intersect or union strategy.
: deploying and monitoring Content Security Policy a breeze. With automated tools and actionable insights, you'll be protecting your users in no time.
(English/Chinese): Web vulnerability scanning and verification tools.
TruffleSecurity (): the fastest way to set up XSS Hunter to test and find blind cross-site scripting vulnerabilities.
() (⚠️): web application security scanner framework.
: web application security scanner framework (Arachni successor).
: automated Security Testing For REST API's.
(): a simple program that scans C/C++ source code and reports potential security flaws.
(): vulnerability Patterns Detector for C# and VB.NET.
Puma Security - (): a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
(): the SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects).
(): SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
(): a tool that helps to detect errors and potential problems in your JavaScript code.
: a static security code scanner for Node.js applications.
(): help secure Express apps with various HTTP headers.
(): Golang security checker.
(): a state of the art linter for the Go programming language. Using static analysis, it finds bugs and performance issues, offers simplifications, and enforces style rules.
: a static analysis tool for securing Go code.
Facebook (Meta) (aka pyre-check) (): a performant type checker for Python.
(): a tool designed to find common security issues in Python code.
(): a static analysis security vulnerability scanner for Ruby on Rails applications.
: a source code scanner designed to review your web applications for security issues.
(): scans your Laravel app code to provide you actionable recommendations on improving its performance, security & more (offers pricing plans).
: a static application security testing (SAST) for PHP.
: a static analyzer for PHP that prefers to minimize false-positives. Phan attempts to prove incorrectness rather than correctness.
(⚠️): a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.
(⚠️): php.ini scanner for best security practices.
Aqua : kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Armo : an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.
(): Kubernetes object analysis with recommendations for improved reliability and security.
ControlPlane (): a kubectl plugin for scanning Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io.
Cilium : eBPF-based Security Observability and Runtime Enforcement.
Cilium : Network, Service & Security Observability for Kubernetes using eBPF.
(): Cloud Native Runtime Security.
(): provides an E2E policy enforcement solution to run automatic checks for rule violations.
(): write tests against structured configuration data using the Open Policy Agent Rego query language.
: investigate malicious Windows logon by visualizing and analyzing Windows event log.
: reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.
Consensys : Smart contract security service for Ethereum.
Consensys (): Security analysis tool for EVM bytecode.
: a Fast Smart Contract Fuzzer.
(): OWASP ModSecurity Core Rule Set.
(): security automation content in SCAP, Bash, Ansible, and other formats.
Google : an open-source cryptography library written by cryptographers and security engineers at Google.
(): zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
Qualys : free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
: a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
: tests SSL/TLS enabled services to discover supported cipher suites.
: fast and powerful SSL/TLS scanning library.
(): an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions.
GitHub (): discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code analysis engine.
(): YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
Microsoft : a set of IDE plugins and rules that provide security "linting" capabilities.
(part of Microsoft Defender for Cloud) (): uses a central console (in Azure) to empower security teams with the ability to protect applications and resources from code to cloud across multi-pipeline environments, such as GitHub and Azure DevOps. Findings from Defender for DevOps can then be correlated with other contextual cloud security insights to prioritize remediation in code.
- aka "Guardian"
(): find and fix hardcoded secrets and infrastructure-as-code misconfigurations.
(): Cloud Security Scans.
Deepfence : Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.
(): an open source high performance data integration platform built for developers.
(): use SQL to instantly query your cloud services (AWS, Azure, GCP and more). Open source CLI. No DB required.
NCC Group : Multi-Cloud Security Auditing Tool.
(): an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness.
(): an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Cisco Duo : helps you analyze your Amazon Web Services (AWS) environments.