Static Analysis
Perform static analysis on your code with these awesome tools
About
Static code analysis addresses weakness in source code, vulnerabilities and others by using a tool (or set of tools) which performs an analysis of a set of source code against a set of coding rules (or advisories, known vulnerabilities...).
Popular products and solutions
GitHub
GitHub includes several features/products/solutions regarding static analysis of your projects and others related to security.
Pricing
Free plan for OSS projects or public projects (on GitHub.com).
Other paid plans for teams and enterprise (extra security features under an Advanced Security license).
More info: https://docs.github.com/en/billing
Solutions/Products
GitHub Advanced Security: GitHub makes extra security features available to customers under an Advanced Security license [source]:
Code scanning for private repository
Secret scanning for private repository
Dependency review for private repository
Code security: build security into your GitHub workflow with features to keep secrets and vulnerabilities out of your codebase, and to maintain your software supply chain [source].
Supply chain security: visualize, maintain, and secure the dependencies in your software supply chain [source].
Security advisories: improving collaboration between repository maintainers and security researchers [source].
Dependabot: monitor vulnerabilities in dependencies used in your project and keep your dependencies up-to-date with Dependabot [source].
Code scanning: using code scanning to identify and fix potential security vulnerabilities and other errors in your code [source].
Secret scanning: ensuring that tokens, private keys, and other code secrets are not exposed in your repository [source].
Official page: https://snyk.io/
Snyk
Snyk is a well-known "developer security company" that provides lots of solutions. They define Snyk as a developer security platform.
Pricing
Free limited plan
Other paid plans for teams and enterprise
More info: https://snyk.io/plans/
Solutions/Products
Snyk Code (SAST): static application security testing (vulnerabilites, advices...).
Snyk Open Source (SCA): open source risk management (vulnerabilities, license complience, reporting and others).
Snyk Container: container and Kubernetes security (vulnerabilities, dependencies and others).
Snyk Infrastructure as Code: secure IaC configurations, rules, custom policies, surfacing of unmanaged and drifted resources.
Snyk Cloud: secure operations in the cloud at every stage of the lifecycle.
Official page: https://snyk.io/
Veracode
Veracode offers intelligent software security to continuously find and fix flaws at every stage of the modern software development lifecycle.
Pricing
Demo must be requested...
More info: https://www.veracode.com/contact-us
Solutions/Products
Veracode Static Analysis (SAST) : Secure Code From the Start.
Veracode Software Composition Analysis (SCA) : Secure Your Software Supply Chain.
Veracode Container Security : Integrate container security seamlessly into your existing pipeline.
Manual Penetration Testing & Penetration Testing as a Service : Catch Elusive Vulnerabilities, Meet Compliance, and Deliver Secure Applications.
Other solutions/products & services can be found in the official page.
Official page: https://www.veracode.com/
Sonar (SonarSource)
Automatic code review, which includes security management. The tool is capable of identifying multiple security hotspots, make security-related rules and others.
Pricing
Free plan for coding ("Free sonar"), analyze your code in real time with IDE integration
Other paid plans for developer, teams and enterprise (self-managed and as a service)
More info: https://www.sonarsource.com/plans-and-pricing/#sonarqube
Solutions/Products
SonarLint: IDE code analysis integrations.
SonarQube: self-hosted, self-managed code analysis.
SonarCloud: "as a service" cloud-based code analysis.
You can deploy a self-hosted sonarqube instance in your own machine with its official container image in minutes and scan your code
Official page: https://www.sonarsource.com/
Trivy
Open source security scanner. Finds vulnerabilities & IaC misconfigurations, SBOM discovery, cloud scannning, k8s security risks and more.
Pricing:
Free
Solutions/Products
AIO tool with multiple scanners:
OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses
Targets:
Container image
Filesystem
Git Repository (remote)
Virtual Machine Image
K8s
AWS
Getting started is easy with this one! See "Quick Start" documentation for getting the software and running it.
Official page: https://trivy.dev/
Microsoft Defender for Cloud
Protect multicloud and hybrid environments with integrated security from code to cloud.
Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multicloud and hybrid environments.
Pricing:
Start free plan with $200 credit to use within 30 days
Solutions/Products
AIO tool with multiple capabilities:
Unified visibility of your security posture across Azure, AWS, Google Cloud, and hybrid clouds
Real-time security access and prioritization of the most critical risks with context-aware cloud security
Integrated extended detection and response (XDR) solution across multicloud workloads to prevent, detect, and respond to attacks
Centralized insights across multipipeline and multicloud DevOps to improve application development security
Targets:
Containers
Container images
Databases
Storage
VMs
App Services (and other Azure services)
IaC
Source Code (scanning for CWE, dependencies, secrets and IaC)
Git repositories
Cloud resources running in AWS, Azure and Google Cloud
Official page: https://azure.microsoft.com/en-us/products/defender-for-cloud/
BetterScan
A simple and powerful DevSecOps software to automate thousands of checks and eliminate human errors in Source Code and Cloud Infrastructure. Integrateable into anything.
Pricing:
Free - Community Edition (Starter Plan)
Other plans professional (for single developer) and business (on request)
Solutions/Products
AIO tool with multiple scanners:
Compatible with many programming languages (a lot)
DeFi Security (DeFi exploits)
Infrastructure as a Code (IaC)
Security and Best Practices (Docker, Kubernetes (k8s), Terraform AWS, GCP, Azure)
Secret Scanning (166+ secret types)
YARA rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware, Webshells, APTs, Dependency Confusion, Trojan Source
Open Source and Proprietary Checks, SBOM, dependencies, also precise Graph based analysis and AI/OpenAI GPT
SCA (software composition analysis) and Supply Chain Risks
Practically any Open Source and proprietary check can be added
Targets:
Container images
K8s
IaC
Source Code
Git repositories
Cloud platforms
Getting started is easy with this one too! See the betterscan community edition repo for getting the software and running it.
Official page: https://www.betterscan.io/
Other Tools / Solutions / Products
Checkout this awesome page (AnalysisTools) that compares the best static analysis tools and linters too.
Generic
DefectDojo (web): a DevSecOps and vulnerability management tool.
StreamAlert (web): a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define.
graudit: grep rough audit - source code auditing tool.
Sobelow: security-focused static analysis for the Phoenix Framework.
gau (getallurls): fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
Greenbone OpenVAS: a full-featured vulnerability scanner.
Security-bugtracker: a tool to run security tools and track security bugs easily.
PMD - source code analyzer (web): an extensible multilanguage static code analyzer.
Web
OWASP ZAP (Zed Attack Proxy): The world’s most widely used web app scanner. Free and open source.
CSP Evaluator: CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks.
CSP Validator: validate CSP in headers and meta elements & validate and merge using intersect or union strategy.
Csper: deploying and monitoring Content Security Policy a breeze. With automated tools and actionable insights, you'll be protecting your users in no time.
Vulmap (English/Chinese): Web vulnerability scanning and verification tools.
ecsypno SCNR: web application security scanner framework (Arachni successor).
API
Astra: automated Security Testing For REST API's.
C/C++
Flawfinder (web): a simple program that scans C/C++ source code and reports potential security flaws.
C# / .NET / dotnet
Security Code Scan (web): vulnerability Patterns Detector for C# and VB.NET.
Puma Security - Puma Scan (web): a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
JVM based
OWASP Find Security Bugs (web): the SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects).
JavaScript
Node.js
nodejsscan: a static security code scanner for Node.js applications.
Golang
Staticcheck (web): a state of the art linter for the Go programming language. Using static analysis, it finds bugs and performance issues, offers simplifications, and enforces style rules.
GoKart: a static analysis tool for securing Go code.
Python
Ruby
Dawnscanner: a source code scanner designed to review your web applications for security issues.
PHP
progpilot: a static application security testing (SAST) for PHP.
Phan: a static analyzer for PHP that prefers to minimize false-positives. Phan attempts to prove incorrectness rather than correctness.
phpcs-security-audit (⚠️): a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.
iniscan (⚠️): php.ini scanner for best security practices.
Kubernetes (k8s)
Aqua kube-bench: kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Armo Kubescape: an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.
Kube-score (web): Kubernetes object analysis with recommendations for improved reliability and security.
Cilium Tetragon: eBPF-based Security Observability and Runtime Enforcement.
Cilium Hubble: Network, Service & Security Observability for Kubernetes using eBPF.
Windows
LogonTracer: investigate malicious Windows logon by visualizing and analyzing Windows event log.
Hardentools: reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.
Web3 (Ethereum | EVM)
Consensys MythX: Smart contract security service for Ethereum.
Echidna: a Fast Smart Contract Fuzzer.
WAF
Coreruleset (web): OWASP ModSecurity Core Rule Set.
Security policy
Cryptography
Google Tink Cryptographic Library: an open-source cryptography library written by cryptographers and security engineers at Google.
Smallstep CLI (web): zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
SSL/TLS
Qualys SSL Labs (Server test): free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
testssl.sh: a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
sslscan: tests SSL/TLS enabled services to discover supported cipher suites.
sslyze: fast and powerful SSL/TLS scanning library.
OOB (Out-of-band)
interact.sh (web): an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions.
Rule / Analysis engines
Microsoft DevSkim: a set of IDE plugins and rules that provide security "linting" capabilities.
Multi-purpose
Microsoft Defender for DevOps (part of Microsoft Defender for Cloud) (web): uses a central console (in Azure) to empower security teams with the ability to protect applications and resources from code to cloud across multi-pipeline environments, such as GitHub and Azure DevOps. Findings from Defender for DevOps can then be correlated with other contextual cloud security insights to prioritize remediation in code.
CLI Version (as NuGet) - aka "Guardian"
ggshield (GitGuardian): find and fix hardcoded secrets and infrastructure-as-code misconfigurations.
Containers
See Containers.
Cloud
Generic
Aqua CloudSploit (web): Cloud Security Scans.
Deepfence ThreatMapper: Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.
CloudQuery (web): an open source high performance data integration platform built for developers.
NCC Group ScoutSuite: Multi-Cloud Security Auditing Tool.
AWS (Amazon Web Services)
Cloudsplaining (web): an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Cisco Duo CloudMapper: helps you analyze your Amazon Web Services (AWS) environments.
Last updated
Was this helpful?