What is used to identify security vulnerabilities in an application while it is being developed useful in P * * * * * * * * * * testing?

When people misunderstand the differences between penetration testing and vulnerability scans, they are often missing a vital component in their overall network security profile and both are crucial for cybercrime prevention.

Table of Contents Show

Strengths and Weaknesses
Important Selection Criteria

Vulnerability scans and vulnerability assessments search systems for known vulnerabilities. A penetration test attempts to actively exploit weaknesses in an environment. While a vulnerability scan can be automated, a penetration test requires various levels of expertise.

Regular vulnerability scanning is necessary for maintaining information security. Secureworks® incident response (IR) analysts have observed some clients performing vulnerability scans weekly and others not performing these vital scans at all. Secureworks analysts recommend scanning every new piece of equipment before it is deployed and at least quarterly afterwards. Any changes to the equipment should immediately be followed by another vulnerability scan. The scan will detect issues such as missing patches and outdated protocols, certificates, and services.

Organizations should maintain baseline reports on key equipment and should investigate changes in open ports or added services. A vulnerability scanner (e.g., Nessus, GFI LANGuard, Rapid7, Retina, Qualys) can alert network defenders when unauthorized changes are made to the environment. Reconciling detected changes against change-control records can help determine if the change was authorized or if there is a problem such as a malware infection or a staff member violating change-control policies.

Penetration testing is quite different, as it attempts to identify insecure business processes, lax security settings, or other weaknesses that a threat actor could exploit. Transmission of unencrypted passwords, password reuse, and forgotten databases storing valid user credentials are examples of issues that can be discovered by a penetration test. Penetration tests do not need to be conducted as often as vulnerability scans but should be repeated on a regular basis.

Penetration tests are best conducted by a third-party vendor rather than internal staff to provide an objective view of the network environment and avoid conflicts of interest. Various tools are used in a penetration test, but the effectiveness of this type of test relies on the tester. The tester should have a breadth and depth of experience in information technology, preferably in the organization’s area of business; an ability to think abstractly and attempt to anticipate threat actor behaviors; the focus to be thorough and comprehensive; and a willingness to show how and why an organization’s environment could be compromised.

A penetration test report should be short and to the point. It can have appendices listing specific details, but the main body of the report should focus on what data was compromised and how. To be useful for the customer, the report should describe the actual method of attack and exploit, the value of the exploited data, and recommendations for improving the organization’s security posture.

Table 1 lists the differences between vulnerability scans and penetration tests.

	Vulnerability scan	Penetration test
Frequency	At least quarterly, especially after new equipment is loaded or the network undergoes significant changes	Once or twice a year, as well as anytime the Internet-facing equipment undergoes significant changes
Reports	Provide a comprehensive baseline of what vulnerabilities exist and what changed since the last report	Concisely identify what data was compromised
Focus	Lists known software vulnerabilities that could be exploited	Discovers unknown and exploitable weaknesses in normal business processes
Performed by	Typically conducted by in-house staff using authenticated credentials; does not require a high skill level	Best to use an independent outside service and alternate between two or three; requires a great deal of skill
Value	Detects when equipment could be compromised	Identifies and reduces weaknesses

Table 1. Comparison of vulnerability scans versus penetration tests.

Vulnerability scanning and penetration testing are both critical to a comprehensive security strategy. They are powerful tools to monitor and improve an organization’s network environment.

Contributor(s): Dave Wichers, itamarlavender, will-obrien, Eitan Worcel, Prabhu Subramanian, kingthorin, coadaflorin, hblankenship, GovorovViva64, pfhorman, GouveaHeitor, Clint Gibler, DSotnikov, Ajin Abraham, Noam Rathaus, Mike Jang

Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws.

SAST tools can be added into your IDE. Such tools can help you detect issues during software development. SAST tool feedback can save time and effort, especially when compared to finding vulnerabilities later in the development cycle.

Strengths and Weaknesses

Strengths

Scales well – can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration).
Identifies certain well-known vulnerabilities, such as:
- Buffer overflows
- SQL injection flaws
Output helps developers, as SAST tools highlight the problematic code, by filename, location, line number, and even the affected code snippet.

Weaknesses

Difficult to automate searches for many types of security vulnerabilities, including:
- Authentication problems
- Access control issues
- Insecure use of cryptography
Current SAST tools are limited. They can automatically identify only a relatively small percentage of application security flaws.
High numbers of false positives.
Frequently unable to find configuration issues, since they are not represented in the code.
Difficult to ‘prove’ that an identified security issue is an actual vulnerability.
Many SAST tools have difficulty analyzing code that can’t be compiled.
- Analysts frequently cannot compile code unless they have:
  - Correct libraries
  - Compilation instructions
  - All required code

Important Selection Criteria

Prerequisite: Support your programming language.
Ability to detect vulnerabilities, based on:
- The OWASP Top Ten
- Other criteria such as:
Accuracy:
- False Positive/False Negative rates
- OWASP Benchmark score
Ability to understand the libraries/frameworks you need
Requirement for buildable source code
Ability to run against binaries (instead of source)
Availability as a plugin into preferred developer IDEs
Ease of setup/use
Ability to include in Continuous Integration/Deployment tools
License cost (May vary by user, organization, app, or lines of code)
Interoperability of output:
- See OASIS SARIF (Static Analysis Results Interchange Format)

Disclaimer

The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

Name/Link	Owner	License	Platforms	Note
.NET Security Guard		Open Source or Free		.NET, C\#, VB.net
42Crunch		Commercial		REST API security platform that includes Security Audit (SAST), dynamic conformance scan, runtime protection, and monitoring.
Agnitio		Open Source or Free	Windows	ASP, ASP.NET, C\#, Java, Javascript, Perl, PHP, Python, Ruby, VB.NET, XML
APIsecurity.io Security Audit		Open Source or Free		online tool for OpenAPI / Swagger file static security analysis
Application Inspector	Positive Technologies	Commercial		combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
AppSweep	Guardsquare	Open Source or Free	SaaS	Mobile application security testing tool for compiled Android apps with support of CI/CD integration
Automated Security Helper	AWS	Open Source or Free		ASH is a one stop shop for security scanners, and does not require any installation. It will identify the different frameworks, and download the relevant, up to date tools. ASH is running on isolated Docker containers, keeping the user environment clean, with a single aggregated report. The following frameworks are supported: Git, Python, Javascript, Cloudformation, Terraform and Jupyter.
Bandit		Open Source or Free		Bandit is a comprehensive source vulnerability scanner for Python
Bearer	Bearer	Commercial	SaaS or On-Premises	Map sensitive data flows and identify security risks such as unauthorized data flow, missing encryption, unauthorized access, and more.
Betterscan CE (Community Edition)	Marcin Kozlowski	Open Source		Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report. Currently supports: PHP, Java, Scala, Python, Ruby, Javascript, GO, Secret Scanning, Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 1000 checks). Supports also Differential analysis. Goal is to have one report using many tools/scanners
Beyond Security beSOURCE	Beyond Security	Commercial		Static application security testing (SAST) used to be divorced from Code quality reviews, resulting in limited impact and value. beSOURCE addresses the code security quality of applications and thus integrates SecOps into DevOps.
BlueClosure BC Detect	BlueClosure	Commercial		Analyzes client-side JavaScript.
Brakeman		Open Source or Free		Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
bugScout	Nalbatech, Formerly Buguroo	Commercial
CAST AIP		Commercial		Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [AIP's security specific coverage is here](https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards).
clj-holmes	clj-holmes	Open Source	Linux and MacOs	A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.
CloudDefense	CloudDefense	Commercial	SaaS or On-Premises	CloudDefense provides holistic threat intelligence across all attack surfaces - Containers, Kubernetes, Code, Open Source Libraries, APIs and more...
Codacy		Commercial		Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)
CodeScan Cloud		Commercial		A Salesforce focused, SaaS code quality tool leveraging SonarQube's OWASP security hotspots to give security visibility on Apex, Visualforce, and Lightning proprietary languages.
CodeSonar	GrammaTech	Commercial		tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.
Codiga	Codiga	Commercial	SaaS or On-Premises	Codiga scans your code and find security, safety, design, performance and maintainability issues in your code at each push or pull request. It integrates with GitHub, GitLab and Bitbucket.
CoGuard	Heinle Solutions Inc.	Commercial	SaaS or On-Premises	A SAST tool for infrastructure configuration analysis. Support for common web servers, databases, streaming services, authentication services, container orchestration and Infrastructure-as-Code tools.
Contrast Assess		Commercial		Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
Coverity Static Analysis	Synopsys	Commercial		Apex, C/C++, C#, CUDA, Java#, JavaScript, PHP, Python, .NET Core, ASP.NET, Objective-C, Go, JSP, Ruby, Swift, Fortran, Scala, VB.NET, iOS, Android, TypeScript, Kotlin
CxSAST	Checkmarx	Commercial	Saas, or on-premises. Windows and Linux with CI/CD and IDE plugin integration	Run full or incremental source code security scans. Supported languages include Javascript, Java, Apex, PHP, Python, Swift, Scala, Perl, Groovy, Ruby, C++, C#.NET, PL/SQL, VB.NET, ASP.NET, HTML 5, Windows Mobile, Go, and Kotlin.
Dawnscanner		Open Source or Free		Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby.
Deep Dive		Open Source or Free		Byte code analysis tool for discovering vulnerabilities in Java deployments (EAR, WAR, JAR).
DeepSource	DeepSource Corp.	Commercial	SaaS or On-Premises	DeepSource helps companies ship clean and secure code with powerful static analysis, OWASP Top 10 compliance, and Autofix. Supports all major programming languages.
DerScanner	DerScanner Ltd.	Commercial		Capable of identifying vulnerabilities and backdoors (undocumented features) in over 30 programming languages by analyzing source code or executables, without requiring debug info.
DevBug		Open Source or Free	Web Based	PHP
ECG	VoidSec	Commercial		SaaS TCL Static Source Code Analysis Tool able to detect real and complex security vulnerabilities in TCL/ADP source-code. Discovered vulnerabilities will be mapped against the OWASP top 10 vulnerabilities.
Enlightn	Enlightn Software	Open Source		Enlightn is a vulnerability scanner specifically designed for Laravel PHP applications that combines SAST, DAST, IAST and configuration analysis techniques to detect vulnerabilities.
Find Security Bugs		Open Source or Free		Java, Scala, Groovy
FindBugs		Open Source or Free		Find bugs (including a few security flaws) in Java programs [Legacy - NOT Maintained - Use SpotBugs (see other entry) instead]
FindSecBugs		Open Source or Free		A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too.
Flawfinder		Open Source or Free		Scans C and C++.
Fluid Attack's Scanner	Fluid Attacks	Open Source		SAST, DAST and SCA vulnerability detection tool with perfect OWASP Benchmark score.
Fortify	Micro Focus	Commercial	Windows, Linux, and MacOSX	Free trial scan available. Supported languages include: ABAP/BSP, ActionScript/MXML (Flex), APEX, ASP.NET, VB.NET, C\# (.NET), C/C++, Classic ASP (w/VBScript), COBOL, ColdFusion CFML, Go, HTML, Java (including Android), JavaScript/AJAX, JSP, Kotlin, Objective-C, PHP, PL/SQL, Python, Typescript, T-SQL, Ruby, Scala, Swift, Visual Basic (VB.NET), Visual Basic 6, VBScript, XML
GitGuardian — Automated Secrets Detection		Commercial	SaaS or On-Premises	Secure your software development with automated secrets detection & remediation for private or public source code.
GitHub Advanced Security	GitHub	Open Source or Free	SaaS or On-Premises	GitHub Advanced Security uses CodeQL for Static Code Analysis, and GitHub Secret Scanning for identifying tokens. GitHub code scanning can import SARIF from any other SAST tool
GitLab	GitLab	Commercial	SaaS, Linux, Windows
GolangCI-Lint		Open Source or Free		A Go Linters aggregator - One of the Linters is [gosec (Go Security)](https://github.com/securego/gosec), which is off by default but can easily be enabled.
Google CodeSearchDiggity		Open Source or Free		Uses Google Code Search to identify vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.
Graudit		Open Source or Free	Linux	Scans multiple languages for various security flaws. Basically security enhanced code Grep.
HCL AppScan CodeSweep - GitHub Action	HCL Software	Open Source or Free		Scan the new code on a push/pull request using a GitHub action. Findings are highlighted in the `Files Changed` view and details about the issue and mitigation steps can be found in the `Actions` page. Unrestricted usage allowed with a free trial account. The tool currently supports Python, Ruby, JS (Vue, React, Node, Angular, JQuery, etc), PHP, Perl, COBOL, APEX & a few more.
HCL AppScan CodeSweep - IDE	HCL Software	Open Source or Free		This is the first Community edition version of AppScan. It is delivered as a VS Code [https://hclsw.co/codesweep] and JetBrains [https://hclsw.co/codesweep-jetbrains] (IntelliJ IDEA, CLion, GoLand, PhpStorm, PyCharm , Rider, RubyMine, WebStorm) plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Java, .Net, Go, Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more. Auto-fix for some of the issues is available with a free trial.
HCL AppScan on Cloud	HCL Software	Open Source or Free		Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, Kotlin, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Swift, Visual Basic 6
HCL AppScan Source	HCL Software	Commercial		Android, Apex, ASP, C, C++, COBOL, ColdFusion, Go, Java, JavaScript(Client-side JavaScript, NodeJS, and AngularJS), .NET (C#, ASP.NET, VB.NET), .NET Core, Perl, PHP, PL/SQL, Python, Ruby, T-SQL, Visual Basic 6
Hdiv Detection	Hdiv Security	Commercial		Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.
Horusec		Open Source or Free		C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx, Swift
HuskyCI		Open Source or Free		HuskyCI is an open-source tool that orchestrates security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. HuskyCI can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java(SpotBugs plus Find Sec Bugs)
Insider CLI	InsiderSec	Open Source or Free		A open source Static Application Security Testing tool (SAST) written in GoLang for Java Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
Kiuwan	a division of Idera, Inc.	Commercial		provides an application security testing and analytics platform – including SAST and SCA solutions – that reduces risk and improves change management and DevOps processes
Klocwork	Perforce	Commercial		Static Code Analysis for C, C++, C#, Java, JavaScript, Python, Kotlin
Kroogal		Commercial		C, C++
LGTM		Open Source or Free		A free for open source static analysis service that automatically monitors commits to publicly accessible code in Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C\#, Go, Java, JavaScript/TypeScript, Python.
LunaTrace by LunaSec	LunaSec	Open Source or Free	SaaS or On-Premises	Software Composition Analysis (SCA) tool to generate SBOMs, identify vulnerabilities in dependencies, and generate patches. Leverages Static Analysis to reduce false positives by filtering non-exploitable CVEs.
Mend SAST	Mend	Commercial		Static security analysis for 27+ languages.
Microsoft FxCop		Open Source or Free		.NET
Microsoft PREFast		Open Source or Free		C, C++
MobSF		Open Source or Free		Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
MobSF		Open Source or Free	Windows, Unix	Android Java, Objective C, Swift
NextGen Static Analysis	ShiftLeft	Commercial	SaaS	Free version available. Currently supports Java, JavaScript, C\#, TypeScript, Python, and Terraform. Create your free account at https://shiftleft.io/register.
nodejsscan		Open Source or Free	Unix	Node.js
Nucleaus Core	Nucleaus	Commercial	SaaS	Scans Git repos daily and provides a web-based dashboard to track code and dependency vulnerabilities. Handles team-based access patterns, vulnerability exception lifecycle, and is built on API first principles.
Offensive360		Commercial		SAST technology that attacks the source code from all corners it has all in one. Malware, SCA, License, and deep source code analysis.
Oversecured	Oversecured Inc	Commercial	iOS, Android	Enterprise vulnerability scanner for Android and iOS apps. It offers app owners and developers the ability to secure each new version of a mobile app by integrating Oversecured into the development process.
OWASP ASST (Automated Software Security Toolkit)	Tarik Seyceri & OWASP	Open Source or Free	Ubuntu, MacOSX and Windows	An Open Source, Source Code Scanning Tool, developed with JavaScript (Node.js framework), Scans for PHP & MySQL Security Vulnerabilities According to OWASP Top 10 and Some other OWASP's famous vulnerabilities, and it teaches developers of how to secure their codes after scan.
OWASP Code Crawler	OWASP	Open Source		.NET, Java
OWASP LAPSE Project	OWASP	Open Source		Java
OWASP Orizon Project	OWASP	Open Source		Java
OWASP WAP (Web Application Protection)	OWASP	Open Source		PHP
ParaSoft		Open Source or Free		C, C++, Java, .NET
Parasoft Test	Parasoft	Commercial		Test tools for C/C++, .NET, Java
phpcs-security-audit		Open Source or Free		A set of PHP_CodeSniffer rules to finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
PITSS.CON	PITTS	Commercial		Scans Oracle Forms and Reports Applications
PMD		Open Source or Free		PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues).
Polyspace Static Analysis Tools		Commercial		C, C++, Ada
PreFast	Microsoft	Open Source or Free		PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
Progpilot		Open Source or Free		Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
Psalm	Vimeo, Inc.	Open Source		Static code analysis for PHP projects, written in PHP.
PT Application Inspector	Positive Technologies	Commercial		Combines SAST, DAST, IAST, SCA, configuration analysis and other technologies for high accuracy. Can generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis. Supports Java, C\#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
Puma Scan	Puma Security	Commercial		A .NET C\# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.
Puma Scan Professional		Open Source or Free		.NET, C\#
PVS-Studio		Open Source or Free		C, C++, C\#
PVS-Studio Analyzer	PVS-Studio	Commercial		Static code security analysis for C, C++, C#, and Java. A commercial B2B solution, but provides several free [licensing options](https://www.viva64.com/en/b/0614/).
Pyre		Open Source or Free		A performant type-checker for Python 3, that also has [limited security/data flow analysis](https://pyre-check.org/docs/pysa-basics.html) capabilities.
reshift		Commercial		A CI/CD static code security analysis tool for Java that uses machine learning to give a prediction on false positives.
SecureAssist	Synopsys	Commercial		Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio, etc. Supports Java, .NET, PHP, and JavaScript.
Security Code Scan		Open Source or Free		Static code analyzer for .NET. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
Seeker	Synopsys	Commercial		Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
Semgrep		Open Source or Free		Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. No compilation needed to scan source code. Supports Go, Java, JavaScript, JSON,Python, TypeScript, and more.
Sentinel Source	Whitehat	Commercial		Static security analysis for 10+ languages.
ShiftLeft Scan		Open Source or Free		A free open-source DevSecOps platform for detecting security issues in source ode and dependencies. It supports a broad range of languages and CI/CD pipelines by bundling various open source scanners into the pipeline.
Sink Tank		Open Source or Free		Java byte code static code analyzer for performing source/sink (taint) analysis.
Snyk Cloud	Snyk Limited	Commercial or Free	SaaS, IDE Plugin	Detects cloud security issues as soon as developers start designing configurations, providing expert guidance to cloud, platform, and security teams in the tools and workflows they use every day.
Snyk Code	Snyk Limited	Commercial or Free	SaaS, IDE Plugin	AI-powered code checker that analyzes your code for security issues, providing actionable advice directly from your IDE to help you fix vulnerabilities quickly
Snyk Container	Snyk Limited	Commercial or Free	SaaS, IDE Plugin	Container and Kubernetes security that helps developers and DevOps find and fix vulnerabilities throughout the SDLC.
Snyk IaC	Snyk Limited	Commercial or Free	SaaS, IDE Plugin	Reduce risk by automating Infrastructure as Code (IaC) security and compliance in development workflows pre-deployment and detecting drifted and missing resources post-deployment.
Snyk Open Source	Snyk Limited	Commercial or Free	SaaS, IDE Plugin	Software composition analysis (SCA) solution helping developers find, prioritize, and fix security vulnerabilities and license issues in open source dependencies.
SonarCloud		Open Source or Free		ABAP, C, C++, Objective-C, COBOL, C\#, CSS, Flex, Go, HTML, Java, Javascript, Kotlin, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Swift, T-SQL, TypeScript, VB6, VB, XML
SonarQube		Open Source or Free		Scans source code for 15 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [SonarLint](https://www.sonarlint.org/).
Spectral	SpectralOps	Open Source or Free	Multi-platform & Multi-architecture. Linux/Windows/MacOSx/*nix. Programming-language agnostic	Discover, classify, and protect your codebases, logs, and other assets. Monitor and detect API keys, tokens, credentials, high-risk security misconfiguration and more.
Splint		Open Source or Free		C
SpotBugs		Open Source or Free		Java. This is the active fork replacement for FindBugs, which is not maintained anymore. Very little security. FindSecBugs plugin provides security rules.
Static Reviewer	Security Reviewer	Commercial	Windows and Linux; on-Premises and in Cloud; Desktop, CLI and CI/CD & IDE plugin integration	Static Reviewer executes code checks according to the most relevant Secure Coding Standards for 40+ programming languages, using 1000+ built-in validation rules.
Understand	SciTools	Commercial	Windows, MacOSX, Linux	IDE that provides static code analysis using graphs, documentation, and metrics. Scans code to check for vulnerabilities and ensures compliance with standards like MISRA and AUTOSAR. Works with 20 languages including C, C++, C#, JavaScript, Python, and Java.
Veracode		Open Source or Free		Android, ASP.NET, C\#, C, C++, Classic ASP, COBOL, ColdFusion/Java, Go, Groovy, iOS, Java, JavaScript, Perl, PhoneGap/Cordova, PHP, Python, React Native, RPG, Ruby on Rails, Scala, Titanium, TypeScript, VB.NET, Visual Basic 6, Xamarin
Veracode Static Analysis	Veracode	Commercial
VisualCodeGrepper		Open Source or Free	Windows	C/C++, C\#, VB, PHP, Java, PL/SQL
VisualCodeGrepper (VCG)		Open Source or Free		Scans C/C++, C\#, VB, PHP, Java, PL/SQL, and COBOL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
VS Code OpenAPI (Swagger) Editor extension		Open Source or Free		Plugin to Microsoft Visual Studio Code that enables rich editing capabilities for REST API contracts and also includes linting and Security Audit (static security analysis).
Xanitizer	Xanitizer	Commercial	CLI and plugin integration	A SAST tool for Java, Scala, and JavaScript/TypeScript, mainly via taint analysis. Per this pricing page, it is free for Open Source projects if you contact the vendor.