Static Analysis

About

Static code analysis addresses weakness in source code, vulnerabilities and others by using a tool (or set of tools) which performs an analysis of a set of source code against a set of coding rules (or advisories, known vulnerabilities...).

Popular products and solutions

GitHub

GitHub includes several features/products/solutions regarding static analysis of your projects and others related to security.

Pricing

• Free plan for OSS projects or public projects (on GitHub.com).

• Other paid plans for teams and enterprise (extra security features under an Advanced Security license).

More info: https://docs.github.com/en/billing

Solutions/Products

• GitHub Advanced Security: GitHub makes extra security features available to customers under an Advanced Security license [source]:

  • Code scanning for private repository

  • Secret scanning for private repository

  • Dependency review for private repository

• Code security: build security into your GitHub workflow with features to keep secrets and vulnerabilities out of your codebase, and to maintain your software supply chain [source].

• Supply chain security: visualize, maintain, and secure the dependencies in your software supply chain [source].

• Security advisories: improving collaboration between repository maintainers and security researchers [source].

• Dependabot: monitor vulnerabilities in dependencies used in your project and keep your dependencies up-to-date with Dependabot [source].

• Code scanning: using code scanning to identify and fix potential security vulnerabilities and other errors in your code [source].

• Secret scanning: ensuring that tokens, private keys, and other code secrets are not exposed in your repository [source].

Official page: https://snyk.io/

Snyk

Snyk is a well-known "developer security company" that provides lots of solutions. They define Snyk as a developer security platform.

Pricing

• Free limited plan

• Other paid plans for teams and enterprise

More info: https://snyk.io/plans/

Solutions/Products

• Snyk Code (SAST): static application security testing (vulnerabilites, advices...).

• Snyk Open Source (SCA): open source risk management (vulnerabilities, license complience, reporting and others).

• Snyk Container: container and Kubernetes security (vulnerabilities, dependencies and others).

• Snyk Infrastructure as Code: secure IaC configurations, rules, custom policies, surfacing of unmanaged and drifted resources.

• Snyk Cloud: secure operations in the cloud at every stage of the lifecycle.

Official page: https://snyk.io/

Veracode

Veracode offers intelligent software security to continuously find and fix flaws at every stage of the modern software development lifecycle.

Pricing

• Demo must be requested...

More info: https://www.veracode.com/contact-us

Solutions/Products

• Veracode Static Analysis (SAST) : Secure Code From the Start.

• Veracode Software Composition Analysis (SCA) : Secure Your Software Supply Chain.

• Veracode Container Security : Integrate container security seamlessly into your existing pipeline.

• Manual Penetration Testing & Penetration Testing as a Service : Catch Elusive Vulnerabilities, Meet Compliance, and Deliver Secure Applications.

• Other solutions/products & services can be found in the official page.

Official page: https://www.veracode.com/

Sonar (SonarSource)

Automatic code review, which includes security management. The tool is capable of identifying multiple security hotspots, make security-related rules and others.

Pricing

• Free plan for coding ("Free sonar"), analyze your code in real time with IDE integration

• Other paid plans for developer, teams and enterprise (self-managed and as a service)

More info: https://www.sonarsource.com/plans-and-pricing/#sonarqube

Solutions/Products

• SonarLint: IDE code analysis integrations.

• SonarQube: self-hosted, self-managed code analysis.

• SonarCloud: "as a service" cloud-based code analysis.

Official page: https://www.sonarsource.com/

Trivy

Open source security scanner. Finds vulnerabilities & IaC misconfigurations, SBOM discovery, cloud scannning, k8s security risks and more.

Pricing:

• Free

Solutions/Products

AIO tool with multiple scanners:

• OS packages and software dependencies in use (SBOM)

• Known vulnerabilities (CVEs)

• IaC issues and misconfigurations

• Sensitive information and secrets

• Software licenses

Targets:

• Container image

• Filesystem

• Git Repository (remote)

• Virtual Machine Image

• K8s

• AWS

Official page: https://trivy.dev/

Microsoft Defender for Cloud

Protect multicloud and hybrid environments with integrated security from code to cloud.

Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multicloud and hybrid environments.

Pricing:

• Start free plan with $200 credit to use within 30 days

• See Microsoft pricing page

Solutions/Products

AIO tool with multiple capabilities:

• Unified visibility of your security posture across Azure, AWS, Google Cloud, and hybrid clouds

• Real-time security access and prioritization of the most critical risks with context-aware cloud security

• Integrated extended detection and response (XDR) solution across multicloud workloads to prevent, detect, and respond to attacks

• Centralized insights across multipipeline and multicloud DevOps to improve application development security

Targets:

• Containers

• Container images

• Databases

• Storage

• VMs

• App Services (and other Azure services)

• IaC

• Source Code (scanning for CWE, dependencies, secrets and IaC)

• Git repositories

• Cloud resources running in AWS, Azure and Google Cloud

Official page: https://azure.microsoft.com/en-us/products/defender-for-cloud/

BetterScan

A simple and powerful DevSecOps software to automate thousands of checks and eliminate human errors in Source Code and Cloud Infrastructure. Integrateable into anything.

Pricing:

• Free - Community Edition (Starter Plan)

• Other plans professional (for single developer) and business (on request)

Solutions/Products

AIO tool with multiple scanners:

• Compatible with many programming languages (a lot)

• DeFi Security (DeFi exploits)

• Infrastructure as a Code (IaC)

• Security and Best Practices (Docker, Kubernetes (k8s), Terraform AWS, GCP, Azure)

• Secret Scanning (166+ secret types)

• YARA rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware, Webshells, APTs, Dependency Confusion, Trojan Source

• Open Source and Proprietary Checks, SBOM, dependencies, also precise Graph based analysis and AI/OpenAI GPT

• SCA (software composition analysis) and Supply Chain Risks

• Practically any Open Source and proprietary check can be added

Targets:

• Container images

• K8s

• IaC

• Source Code

• Git repositories

• Cloud platforms

Official page: https://www.betterscan.io/

Other Tools / Solutions / Products

Checkout this awesome page (AnalysisTools) that compares the best static analysis tools and linters too.

Generic

• osquery (web): SQL powered operating system instrumentation, monitoring, and analytics.

• DefectDojo (web): a DevSecOps and vulnerability management tool.

• StreamAlert (web): a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define.

• graudit: grep rough audit - source code auditing tool.

• Sobelow: security-focused static analysis for the Phoenix Framework.

• gau (getallurls): fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.

• Google OSS-Fuzz (web): continuous fuzzing for open source software.

• Greenbone OpenVAS: a full-featured vulnerability scanner.

  • Community edition (web)

• Security-bugtracker: a tool to run security tools and track security bugs easily.

• PMD - source code analyzer (web): an extensible multilanguage static code analyzer.

• Semgrep (web): lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Web

• OWASP ZAP (Zed Attack Proxy): The world’s most widely used web app scanner. Free and open source.

• Dalfox (web): a powerful open-source XSS scanner and utility focused on automation.

• bunkerweb (web): a web server based on the notorious NGINX and focused on security.

• CSP Evaluator: CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks.

  • Chrome extension

• CSP Validator: validate CSP in headers and meta elements & validate and merge using intersect or union strategy.

• Csper: deploying and monitoring Content Security Policy a breeze. With automated tools and actionable insights, you'll be protecting your users in no time.

• Vulmap (English/Chinese): Web vulnerability scanning and verification tools.

• TruffleSecurity XSSHunter (web): the fastest way to set up XSS Hunter to test and find blind cross-site scripting vulnerabilities.

• Arachni (web) (⚠️): web application security scanner framework.

• ecsypno SCNR: web application security scanner framework (Arachni successor).

API

• Astra: automated Security Testing For REST API's.

C/C++

• Flawfinder (web): a simple program that scans C/C++ source code and reports potential security flaws.

C# / .NET / dotnet

• Security Code Scan (web): vulnerability Patterns Detector for C# and VB.NET.

• Puma Security - Puma Scan (web): a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

JVM based

• OWASP Find Security Bugs (web): the SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects).

• SpotBugs (web): SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

JavaScript

• JSHint (web): a tool that helps to detect errors and potential problems in your JavaScript code.

Node.js

• nodejsscan: a static security code scanner for Node.js applications.

• Helmet (web): help secure Express apps with various HTTP headers.

Golang

• gosec (web): Golang security checker.

• Staticcheck (web): a state of the art linter for the Go programming language. Using static analysis, it finds bugs and performance issues, offers simplifications, and enforces style rules.

• GoKart: a static analysis tool for securing Go code.

Python

• Facebook (Meta) Pyre (aka pyre-check) (web): a performant type checker for Python.

• Bandit (web): a tool designed to find common security issues in Python code.

Ruby

• Brakeman (web): a static analysis security vulnerability scanner for Ruby on Rails applications.

• Dawnscanner: a source code scanner designed to review your web applications for security issues.

PHP

• Enlightn (web): scans your Laravel app code to provide you actionable recommendations on improving its performance, security & more (offers pricing plans).

• progpilot: a static application security testing (SAST) for PHP.

• Phan: a static analyzer for PHP that prefers to minimize false-positives. Phan attempts to prove incorrectness rather than correctness.

• phpcs-security-audit (⚠️): a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

• iniscan (⚠️): php.ini scanner for best security practices.

Kubernetes (k8s)

• Aqua kube-bench: kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

• Armo Kubescape: an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.

• Kube-score (web): Kubernetes object analysis with recommendations for improved reliability and security.

• ControlPlane Kubesec (web): a kubectl plugin for scanning Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io.

• Cilium Tetragon: eBPF-based Security Observability and Runtime Enforcement.

• Cilium Hubble: Network, Service & Security Observability for Kubernetes using eBPF.

• Falco (web): Cloud Native Runtime Security.

• Datree (web): provides an E2E policy enforcement solution to run automatic checks for rule violations.

• Conftest (web): write tests against structured configuration data using the Open Policy Agent Rego query language.

Windows

• LogonTracer: investigate malicious Windows logon by visualizing and analyzing Windows event log.

• Hardentools: reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.

Web3 (Ethereum | EVM)

• Consensys MythX: Smart contract security service for Ethereum.

• Consensys Mythril (web): Security analysis tool for EVM bytecode.

• Echidna: a Fast Smart Contract Fuzzer.

WAF

• Coreruleset (web): OWASP ModSecurity Core Rule Set.

Security policy

• content (web): security automation content in SCAP, Bash, Ansible, and other formats.

Cryptography

• Google Tink Cryptographic Library: an open-source cryptography library written by cryptographers and security engineers at Google.

• Smallstep CLI (web): zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.

SSL/TLS

• Qualys SSL Labs (Server test): free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.

  • Other tests

• testssl.sh: a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

• sslscan: tests SSL/TLS enabled services to discover supported cipher suites.

• sslyze: fast and powerful SSL/TLS scanning library.

OOB (Out-of-band)

• interact.sh (web): an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions.

Rule / Analysis engines

• GitHub CodeQL (web): discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code analysis engine.

  • CLI

  • Visual Studio Code extension

  • Documentation

• YARA (web): YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.

• Microsoft DevSkim: a set of IDE plugins and rules that provide security "linting" capabilities.

Multi-purpose

• Microsoft Defender for DevOps (part of Microsoft Defender for Cloud) (web): uses a central console (in Azure) to empower security teams with the ability to protect applications and resources from code to cloud across multi-pipeline environments, such as GitHub and Azure DevOps. Findings from Defender for DevOps can then be correlated with other contextual cloud security insights to prioritize remediation in code.

  • CLI Version (as NuGet) - aka "Guardian"

  • GitHub Action

  • Azure DevOps extension

• ggshield (GitGuardian): find and fix hardcoded secrets and infrastructure-as-code misconfigurations.

Containers

See Containers.

Cloud

Generic

• Aqua CloudSploit (web): Cloud Security Scans.

• Deepfence ThreatMapper: Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.

• CloudQuery (web): an open source high performance data integration platform built for developers.

• Steampipe (web): use SQL to instantly query your cloud services (AWS, Azure, GCP and more). Open source CLI. No DB required.

• NCC Group ScoutSuite: Multi-Cloud Security Auditing Tool.

• Prowler (web): an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness.

AWS (Amazon Web Services)

• Cloudsplaining (web): an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.

• Cisco Duo CloudMapper: helps you analyze your Amazon Web Services (AWS) environments.