Static Application Security Testing (SAST) Tools

All Products

(1-25 of 34)

1
GitLab

GitLab DevSecOps platform enables software innovation by aiming to empower development, security, and operations teams to bui…

2
Veracode

Veracode is a software security firm that identifies flaws and vulnerabilities across the software development lifecycle. Veracode’s Software Security Platform uses advanced AI algorithms trained on vast datasets of code, for more precise identification and rectification of security…

3
SonarQube

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

5
Snyk

Snyk’s Developer Security Platform automatically integrates with a developer’s workflow and helps security teams to collaborate with their development teams. It boasts a developer-first approach that ensures organizations can secure all of the critical components of their applications from code to cloud, driving dev…

6
SonarCloud
0 reviews

SonarCloud is a fully managed SaaS solution, improving human-developed and AI-assisted code at scale. It helps produce software that is secure, reliable, and maintainable. SonarCloud is free for open-source projects, and is offered as a paid subscription for private projects.

7
Oversecured
0 reviews

Enterprise vulnerability scanner for Android and iOS apps. It offers app owners and developers the ability to secure each new version of a mobile app by integrating Oversecured into the development process.

8
PVS-Studio
0 reviews

PVS-Studio is a static code analysis tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and…

9
ImmuniWeb® Neuron Mobile

A solution that uses Machine Learning and AI technologies to enhance SAST and DAST mobile security scanning. Neuron Mobile's vulnerability scans detect vulnerabilities, and each scan comes with a zero false-positives SLA.


Our Distinctive Value Proposition:

Zero False-Positives SLA:…

10
JFrog Security (Xray)

JFrog Security Essentials / Xray SCA can be used to discover and eliminate unwanted or unexpected packages, using JFrog’s database of identified malicious packages. It is presented as a DevOps-centric SCA solution for identifying and resolving security vulnerabilities and license…

11
DeepSource
0 reviews

DeepSource is a code health platform that equips organizations with tools to build maintainable and secure software while elevating the velocity of their software development cycle.

The vendor states the solution features:
  • Guaranteed below 5% false-posi…

12
Aikido Security

Aikido Security is a developer-first…

13
ShiftLeft
0 reviews

ShiftLeft in Santa Clara offers NextGen Static Analysis (NG SAST) a code analysis solution, purpose-built to support developer workflows, boasting the speed, accuracy, and comprehensiveness to confidently shift code analysis left by eliminating manual bottlenecks and embracing automation.…

14
Sonatype Lifecycle

A solution to control open source risk across the SDLC, that can be used to automatically find and fix open source vulnerabilities across the SDLC.

15
Cycode
0 reviews

Cycode is a software supply chain security solution from the company of the same name headquartered in Tel Aviv, that provides visibility, security, and integrity across all phases of the SDLC. Cycode integrates with DevOps tools and infrastructure providers, hardens their security…

16
Coverity Static Analysis (SAST)

Synopsys offers the Coverity static application security testing (SAST) solution, to help users build software that’s more secure, higher-quality, and compliant with standards.

17
DerScanner
0 reviews

DerScanner is a…

18
Mend SAST
0 reviews

Mend SAST (replacing the former DefenseCode ThunderScan) is a SAST solution for performing deep and extensive security analysis of application source code. Mend SAST requires almost no user input and can be deployed during or after development with integration into an existing DevOps…

19
Lacework

Lacework is a cloud-native application protection platform offered as-a-Service; delivering build-time to run-time threat detection, behavioral anomaly detection, and cloud compliance across multicloud environments, workloads, containers, and Kubernetes.

20
HCL AppScan

AppScan (formerly Rational AppScan) is an application security testing solution acquired by HCL Technologies from IBM in late 2018. Appscan supports both dynamic (DAST) and static (SAST) application security testing.

22
CloudDefense.AI

CloudDefense.AI's platform offers a unified understanding of risks in code, cloud and dark web. Building this unified attack graph leads to noise reduction, to stay ahead of cyber threats. The Comprehensive Suite - From Code-to-Cloud-to-Recon includes:

  • Static Application Security…

23
OWASP ZAP
0 reviews

24
Reshift
0 reviews

Reshift is a lightweight source code security solution designed to automate the detection of over 100 classes of vulnerabilities in source code, as well as automate vulnerability remediation to save developers time and putting security on autopilot.

25
Fortify by OpenText

An AppSec solution formerly from Micro Focus, spanning SCA, SAST and DAST that supports the breadth and management of any application portfolio, used to secure code. Features API discovery and testing for any application, throughout the software lifecycle.

Learn More About Static Application Security Testing (SAST) Tools

What are Static Application Security Testing (SAST) Tools?

Static Application Security Testing (SAST) tools examine the codebase of applications while they are not running to identify vulnerabilities before the application is deployed. SAST is a segment of Application Security Testing, which is a key element of ensuring that web and cloud-native applications remain secure. Static Application Security Tests (SAST) are the most legacy form of application security testing. Various tools and managed services exist to provide continuous testing, besides application security platforms that include app testing as part of their functionality.


SAST tools provide “white-box testing,” which gives more granularity in surfacing vulnerabilities, down to the line of code. SAST allows for this level of visibility because it looks directly at the source code itself while the application is not running. This overlaps with broader static code analysis tools. However, SAST tools are purely security-focused, while SCA tools are more general-use.


Static application security testing provides some advantages, and drawbacks, compared to other application security testing methods. SAST allows developers and security testers to examine the application’s entire codebase in one test. It also can test applications before the code is ready to compile or run, enabling testing earlier in the software development life cycle (SDLC). On the other hand, SAST tools can’t test applications that are mid-dynamic testing or already in production, because they only analyze at-rest code. SAST can also miss non-code based security context, such as secondary security tools that are in place external to the codebase itself. Finally, it can be a heavier implementation lift than some more recent AST tools. Due to these limitations, SAST tools are often used together with dynamic application security testing (DAST) and interactive application security testing (IAST).


SAST Tools Comparison

Consider these factors when comparing SAST tools:

  • False Positives: What volume of false positives do current users of each product encounter? How easy is it to manage these false positives when they do (inevitably) occur? False positive management can be the difference between successful and failed SAST adoption.

  • IDE Integration: How easily does each tool integrate into the business’s existing developer environments? This will heavily impact how early in development SAST methods can be used, and how disruptive testing is to the SDLC.

  • Automation: To what extent can static testing be automated within the development environment? SAST has traditionally been considered one of the more manual application security testing methods, so any level of automation can improve efficiency dramatically.


Start a SAST tool comparison here


Related Categories

Frequently Asked Questions

What are SAST tools?

SAST tools test at-rest application code for vulnerabilities before the application is deployed.

What’s the difference between SAST and DAST tools?

SAST tools test static, at-rest code, while DAST tools simulate attacks against running applications to surface vulnerabilities that are only visible in more real-world conditions.

What types of application security testing are there?

There are 3 types of application security testing: Static, Dynamic, and Interactive.

What are the benefits of SAST?

SAST allows developers to test the application’s entire code base at once, and earlier in the SDLC than other tools.