Static Application Security Testing (SAST) Tools

TrustRadius Top Rated for 2023

Top Rated Products

(1-4 of 4)

1
GitLab

GitLab DevSecOps platform enables software innovation by aiming to empower development, security, and operations teams to build better software, faster. With GitLab, teams can create, deliver, and manage code quickly and continuously instead of managing disparate tools and scripts.…

2
SonarQube

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

3
GitGuardian Internal Monitoring

GitGuardian Internal Monitoring helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-…

4
Veracode

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix…

All Products

(1-25 of 34)

1
Veracode

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix…

2
GitLab

GitLab DevSecOps platform enables software innovation by aiming to empower development, security, and operations teams to build better software, faster. With GitLab, teams can create, deliver, and manage code quickly and continuously instead of managing disparate tools and scripts.…

3
SonarQube

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Explore recently added products

4
GitGuardian Internal Monitoring

GitGuardian Internal Monitoring helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-…

5
Lacework

Lacework is a cloud-native application protection platform offered as-a-Service; delivering build-time to run-time threat detection, behavioral anomaly detection, and cloud compliance across multicloud environments, workloads, containers, and Kubernetes.

6
HCL AppScan

AppScan (formerly Rational AppScan) is an application security testing solution acquired by HCL Technologies from IBM in late 2018. Appscan supports both dynamic (DAST) and static (SAST) application security testing.

7
Fortify by OpenText

An AppSec solution formerly from Micro Focus, spanning SCA, SAST and DAST that supports the breadth and management of any application portfolio, used to secure code. Features API discovery and testing for any application, throughout the software lifecycle.

8
Snyk

Snyk’s Developer Security Platform automatically integrates with a developer’s workflow and helps security teams to collaborate with their development teams. It boasts a developer-first approach that ensures organizations can secure all of the critical components of their applications…

9
Checkmarx

Checkmarx, an Israeli headquartered company with US offices, provides a suite of application security software delivered via the Checkmarx Software Security Platform. Individual modules and capabilities include Checkmarx Static Application Security Testing, Checkmarx Software Composition…

10
Coverity Static Analysis (SAST)

Synopsys offers the Coverity static application security testing (SAST) solution, to help users build software that’s more secure, higher-quality, and compliant with standards.

11
Mobile Security Framework (MobSF)

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with…

12
DerScanner
0 reviews

DerScanner is an application security tool used to identify vulnerabilities and backdoors using various analysis methods (SAST, DAST, SCA) and integrate with other tools for embedding in SSDLC. DerScanner supports static analysis that can check apps written in 36 programing languages.…

13
PVS-Studio
0 reviews

PVS-Studio is a static code analysis tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and…

14
CodePatrol
0 reviews

CodePatrol from Claranet headquartered in London performs SAST scans on project source code to identify security flaws early. The solution is powered by Claranet and Checkmarx.

15
Brakeman Scanner

Brakeman is a free static analysis security tool for Ruby on Rails, boasting zero-setup security scans for Rails applications based on source code analysis.

16
Mobix
0 reviews

Mobix is a SaaS mobile application testing platform that reduces application analysis costs and time, making tests creation and finding vulnerabilities effortless. Mobix's unique characteristics include: Non-invasive tool, which augments existing SDLC (Software Development Life…

17
ShiftLeft
0 reviews

ShiftLeft in Santa Clara offers NextGen Static Analysis (NG SAST) a code analysis solution, purpose-built to support developer workflows, boasting the speed, accuracy, and comprehensiveness to confidently shift code analysis left by eliminating manual bottlenecks and embracing automation.…

18
Beyond Security beSOURCE

Static application security testing (SAST) used to be divorced from Code quality reviews, resulting in limited impact and value. So Beyond Security offers beSOURCE, which they state addresses the code security quality of applications and thus integrates SecOps into DevOps. Beyond…

19
Bytesafe
0 reviews

20
OWASP ZAP
0 reviews

21
Sonatype Lifecycle

A solution to control open source risk across the SDLC, that can be used to automatically find and fix open source vulnerabilities across the SDLC.

22
Mend SAST
0 reviews

Mend SAST (replacing the former DefenseCode ThunderScan) is a SAST solution for performing deep and extensive security analysis of application source code. Mend SAST requires almost no user input and can be deployed during or after development with integration into an existing DevOps…

23
ImmuniWeb® Neuron Mobile

A solution that uses Machine Learning and AI technologies to enhance SAST and DAST mobile security scanning. Neuron Mobile's vulnerability scans detect vulnerabilities, and each scan comes with a zero false-positives SLA. Our Distinctive Value Proposition: ● Zero False-…

24
Aikido Security

Aikido Security is a developer-first software security app. Aikido scans source code & cloud to show which vulnerabilities are actually important to solve. The platform also speeds up triaging by reducing false-positives and making CVEs human-readable. Aikido makes it simpler…

25
Oversecured
0 reviews

Enterprise vulnerability scanner for Android and iOS apps. It offers app owners and developers the ability to secure each new version of a mobile app by integrating Oversecured into the development process.

Learn More About Static Application Security Testing (SAST) Tools

What are Static Application Security Testing (SAST) Tools?

Static Application Security Testing (SAST) tools examine the codebase of applications while they are not running to identify vulnerabilities before the application is deployed. SAST is a segment of Application Security Testing, which is a key element of ensuring that web and cloud-native applications remain secure. Static Application Security Tests (SAST) are the most legacy form of application security testing. Various tools and managed services exist to provide continuous testing, besides application security platforms that include app testing as part of their functionality.


SAST tools provide “white-box testing,” which gives more granularity in surfacing vulnerabilities, down to the line of code. SAST allows for this level of visibility because it looks directly at the source code itself while the application is not running. This overlaps with broader static code analysis tools. However, SAST tools are purely security-focused, while SCA tools are more general-use.


Static application security testing provides some advantages, and drawbacks, compared to other application security testing methods. SAST allows developers and security testers to examine the application’s entire codebase in one test. It also can test applications before the code is ready to compile or run, enabling testing earlier in the software development life cycle (SDLC). On the other hand, SAST tools can’t test applications that are mid-dynamic testing or already in production, because they only analyze at-rest code. SAST can also miss non-code based security context, such as secondary security tools that are in place external to the codebase itself. Finally, it can be a heavier implementation lift than some more recent AST tools. Due to these limitations, SAST tools are often used together with dynamic application security testing (DAST) and interactive application security testing (IAST).


SAST Tools Comparison

Consider these factors when comparing SAST tools:

  • False Positives: What volume of false positives do current users of each product encounter? How easy is it to manage these false positives when they do (inevitably) occur? False positive management can be the difference between successful and failed SAST adoption.

  • IDE Integration: How easily does each tool integrate into the business’s existing developer environments? This will heavily impact how early in development SAST methods can be used, and how disruptive testing is to the SDLC.

  • Automation: To what extent can static testing be automated within the development environment? SAST has traditionally been considered one of the more manual application security testing methods, so any level of automation can improve efficiency dramatically.


Start a SAST tool comparison here


Related Categories

Frequently Asked Questions

What are SAST tools?

SAST tools test at-rest application code for vulnerabilities before the application is deployed.

What’s the difference between SAST and DAST tools?

SAST tools test static, at-rest code, while DAST tools simulate attacks against running applications to surface vulnerabilities that are only visible in more real-world conditions.

What types of application security testing are there?

There are 3 types of application security testing: Static, Dynamic, and Interactive.

What are the benefits of SAST?

SAST allows developers to test the application’s entire code base at once, and earlier in the SDLC than other tools.