Static Application Security Testing (SAST) Tools

Best Static Application Security Testing (SAST) Tools include:

SonarQube, Micro Focus Fortify Static Code Analyzer, and Coverity Static Analysis (SAST).

Static Application Security Testing (SAST) Tools Overview

What are Static Application Security Testing (SAST) Tools?

Static Application Security Testing (SAST) tools examine the codebase of applications while they are not running to identify vulnerabilities before the application is deployed. SAST is a segment of Application Security Testing, which is a key element of ensuring that web and cloud-native applications remain secure. Static Application Security Tests (SAST) are the most legacy form of application security testing. Various tools and managed services exist to provide continuous testing, besides application security platforms that include app testing as part of their functionality.

SAST tools provide “white-box testing,” which gives more granularity in surfacing vulnerabilities, down to the line of code. SAST allows for this level of visibility because it looks directly at the source code itself while the application is not running. This overlaps with broader static code analysis tools. However, SAST tools are purely security-focused, while SCA tools are more general-use.

Static application security testing provides some advantages, and drawbacks, compared to other application security testing methods. SAST allows developers and security testers to examine the application’s entire codebase in one test. It also can test applications before the code is ready to compile or run, enabling testing earlier in the software development life cycle (SDLC). On the other hand, SAST tools can’t test applications that are mid-dynamic testing or already in production, because they only analyze at-rest code. SAST can also miss non-code based security context, such as secondary security tools that are in place external to the codebase itself. Finally, it can be a heavier implementation lift than some more recent AST tools. Due to these limitations, SAST tools are often used together with dynamic application security testing (DAST) and interactive application security testing (IAST).

SAST Tools Comparison

Consider these factors when comparing SAST tools:

  • False Positives: What volume of false positives do current users of each product encounter? How easy is it to manage these false positives when they do (inevitably) occur? False positive management can be the difference between successful and failed SAST adoption.

  • IDE Integration: How easily does each tool integrate into the business’s existing developer environments? This will heavily impact how early in development SAST methods can be used, and how disruptive testing is to the SDLC.

  • Automation: To what extent can static testing be automated within the development environment? SAST has traditionally been considered one of the more manual application security testing methods, so any level of automation can improve efficiency dramatically.

Start a SAST tool comparison here

Static Application Security Testing (SAST) Products

(1-19 of 19) Sorted by Most Reviews



Customer Verified
Top Rated

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix…



Customer Verified
Top Rated

GitLab is a complete open-source DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate and build software. From idea to production, GitLab helps teams improve cycle time from weeks to minutes, reduce development…


SonarQube (formerly Sonar) is an open source application security solution.

HCL AppScan (formerly from IBM)

AppScan (formerly Rational AppScan) is an application security testing solution acquired by HCL Technologies from IBM in late 2018. Appscan supports both dynamic (DAST) and static (SAST) application security testing.


Checkmarx, an Israeli headquartered company with US offices, provides a suite of application security software delivered via the Checkmarx Software Security Platform. Individual modules and capabilities include Checkmarx Static Application Security Testing, Checkmarx Software Composition…

Micro Focus Fortify on Demand

Micro Focus Fortify on Demand (formerly HP Fortify on Demand) is an application security and testing platform acquired by Micro Focus from Hewlett-Packard Enterprise. The security as a service supplies dynamic (DAST) and static (SAST) application testing, as well as source code analysis…

Mobile Security Framework (MobSF)

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with…

Beyond Security beSOURCE

Static application security testing (SAST) used to be divorced from Code quality reviews, resulting in limited impact and value. So Beyond Security offers beSOURCE, which they state addresses the code security quality of applications and thus integrates SecOps into DevOps. Beyond…

WhiteHat Sentinel Source

WhiteHat Sentinel Source, from NTT Security company WhiteHat Security (acquired March 2019) is a solution to automate and scale application security across development, operations, and security teams, and deliver secure code, early in the DevOps cycle. The vendor states users will…

Brakeman Scanner

Brakeman is a free static analysis security tool for Ruby on Rails, boasting zero-setup security scans for Rails applications based on source code analysis.


CodePatrol from Claranet headquartered in London performs SAST scans on project source code to identify security flaws early. The solution is powered by Claranet and Checkmarx.


Reshift is a lightweight source code security solution designed to automate the detection of over 100 classes of vulnerabilities in source code, as well as automate vulnerability remediation to save developers time and putting security on autopilot.

Parasoft Development Testing Solutions

Parasoft's Development Testing Solutions (formerly represented as the DTP platform) includes static code analyses solutions for C/C++, Java, and .NET, as well as security oriented testing solutions (SAST).


ShiftLeft in Santa Clara offers NextGen Static Analysis (NG SAST) a code analysis solution, purpose-built to support developer workflows, boasting the speed, accuracy, and comprehensiveness to confidently shift code analysis left by eliminating manual bottlenecks and embracing automation.…

DefenseCode ThunderScan®

DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. ThunderScan® requires almost no user input and can be deployed during or after development with integration…


SonarCloud is a code quality and security tool, providing static code analysis and SAST scanning to eliminate bugs and vulnerabilities in code. SonarCloud is free for open source projects, and on a paid subscription for private projects, priced per lines of code.

Micro Focus Fortify Static Code Analyzer

Micro Focus offers the Fortify Static Code Analyzer, providing a SAST solution designed to allow developers to find and fix security defects in real-time during the coding process, with integrations to IDEs.

Coverity Static Analysis (SAST)

Synopsys offers the Coverity static application security testing (SAST) solution, to help users build software that’s more secure, higher-quality, and compliant with standards.


Snyk is a software composition analysis tool designed to find vulnerabilities in source code stored in repositories like GitHub, or to provide container security and vulnerability protection, available in various editions: Snyk Open Source Security Management automatically finds,…

Frequently Asked Questions

What are SAST tools?

SAST tools test at-rest application code for vulnerabilities before the application is deployed.

What’s the difference between SAST and DAST tools?

SAST tools test static, at-rest code, while DAST tools simulate attacks against running applications to surface vulnerabilities that are only visible in more real-world conditions.

What types of application security testing are there?

There are 3 types of application security testing: Static, Dynamic, and Interactive.

What are the benefits of SAST?

SAST allows developers to test the application’s entire code base at once, and earlier in the SDLC than other tools.