SAST Tools: 15 Top Free and Commercial Tools
What is SAST?
Static Application Security Testing (SAST) tools are solutions that scan your application source code or binary and find vulnerabilities. It is known as White-box testing, and developers can use it within the IDE or integrate it into CI/CD pipelines.
First SAST tools came into the market in 2002*?and are part of every modern application development environment. It can help developers in real-time with the potential security issues in the code they are writing.
Also, you can join the?CandyShop DevsecOps?project to see the security testing performance of the most popular SAST tools.
How do SAST tools work?
Most of the SAST tools start the process by creating a standard format (AST) irrespective of the language of your code. This way, it will be easier/faster to query the source code and find security issues.
After creating a model from your source code, SAST tools can look for known issues with the rule engine.
It will include language-specific, relevant, and custom rules that users can add to cover business-logic-related issues.
In?semantic analysis, SAST tools will look for insecure code usage and can even detect indirect calls.
Structural analysis?will check language-specific secure coding violations and detect improper variables/functions/methods access modifiers, dead code, insecure multithreading, and memory leaks.
Control flow analysis?validates the order of operations by checking sequence patterns. It can identify the dangerous sequence of actions, resource leaks, race conditions and Improper variable/object initializing before use.?
Data flow analysis?is the most powerful technique, and It tracks the data flow from the taint source (attacker-controlled inputs) to the vulnerable sink. (exploitable code)
It can identify Injections, buffer overflows, and format-string attacks.
Configuration analysis?checks the application's configuration files (XML, Web.config, properties files) and finds known security misconfigurations.?
How to integrate SAST tools into DevSecOps?
You are integrating SAST tools into automated DevOps workflows making it much faster to deliver secure software to your end-users.?
?It?will save much time during vulnerability management/remediation, and your developers will get an immediate response from the SAST Tool with this proactive scanning approach.
You can use a solution like?Kondukto?by integrating your existing SAST Tools or run code scans with built-in open source SAST tools directly in CI/CD pipeline.
And these are the most popular?SAST tools:
It is a free (open-source) static security scanner for Python applications.
Supported Languages:?Python
License:?Free (Open-Source)
Official Website:?https://pypi.org/project/bandit/
It is a free (open-source) vulnerability scanner for Ruby on Rails applications.
Supported Languages:?Ruby on Rails
License:?Free (Open-Source)
Official Website:?https://brakemanscanner.org/
Enterprise-level static code scanner supports all popular languages and is nominated as "Leaders" in Gartner Magic Quadrant 2022.
Supported Languages:?JavaScript, Apex, Java, PHP, Python, Swift, Scala, Perl, Groovy, Ruby, C#, .NET, C++, Oracle PL/SQL, VB.NET, Android, Apple, ASP.NET, HTML 5, Windows Mobile, Go
License:?Commercial
Official Website:?https://checkmarx.com/
An enterprise-level application security testing suite contains a source code scanner for 11 languages and is nominated as "Visionaries" in Gartner Magic Quadrant 2022.
Supported Languages:? Java, JavaScript, .NET, .NET Core, Node.js, Ruby, Python, Golang, Scala, PHP, Kotlin
?License:?Commercial (with?Free Community Edition)
Official Website:?https://www.contrastsecurity.com/contrast-scan
It's the SAST part of Synopsys application security suite.
Supported Languages:?Apex, C/C++,?C#, CUDA, Java, JavaScript, PHP, Python, .NET Core, ASP.NET, Objective-C, Go, JSP, Ruby, Swift, Fortran, Scala, VB.NET, iOS, Android, TypeScript, Kotlin
License:?Commercial
Official Website:?https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
An enterprise-level static scanner supports 20 languages and is nominated as "Leaders" in Gartner Magic Quadrant 2022.
Supported Languages:?.NET, .NET Framework, .NET Core, ABAP/BSP, ActionScript, Apex, C#, C/C++, Classic ASP (with VBScript), COBOL, ColdFusion, Go, HTML, Java (including Android), JavaScript, JSON, JSP, Kotlin, MXML (Flex), Objective-C/C++, PHP, PL/SQL, Python, Ruby, Scala, Swift, T-SQL, TypeScript, VBScript, Visual Basic (VB.NET), Visual Basic, XML, YAML
License:?Commercial?
Official Website:?https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer
领英推荐
An enterprise-level application security tool suite that contains a static scanner supports 34 languages and gets nominated as "Leaders" in Gartner Magic Quadrant 2022.
Supported Languages:?ABAP, Android, Angular, AngularJS, APEX, ASP Classic
Java? and Java? web content, .NET (C#, ASP.NET, VB.NET), C/C++, COBOL, ColdFusion, Dart, Go, Groovy, Infrastructure as Code (IaC), JavaScript, Kotlin, Objective-C/Objective-C++, NodeJS, Perl, PHP, PL/SQL, Python, ReactJS, ReactNative, RPG, Ruby, Scala, Swift, TSQL, TypeScript, Visual Basic, Vue.js, Xamarin
License:?Commercial,?AppScan CodeSweep?(Free)
Official Website:?https://www.hcltechsw.com/appscan/offerings/source
A practical and efficient static code scanner for 28 programming languages.
Supported Languages:?ABAP, ActionScript, ASP.NET, C, COBOL, C++, C#, Go, HTML, Informix, Java, JavaScript /TypeScript, JCL, JSP, Kotlin, Natural, Objective C, OracleForms, PHP, PL-SQL, PowerScript, Python, RPG4, Scala, Swift, Transact-SQL, VisualBasic 6, VB.NET
License:?Commercial
Official Website:?https://www.kiuwan.com/code-security-sast/
An advanced source code security testing tool for C, C++, C#, Java, JavaScript, Python, and Kotlin applications.
Supported Languages:?C, C++, C#, Java, JavaScript, Python, and Kotlin
License:?Commercial (with Free Trial)
Official Website:?https://www.perforce.com/products/klocwork
An automated code review solution for Java, Python, JavaScript, TypeScript, C#, Go, C and C++.
Supported Languages:?Java, Python, JavaScript, TypeScript, C#, Go, C and C++
License:?Commercial (Free for open source projects)
Official Website:??https://lgtm.com
A lightweight static code scanner for Node.js
Supported Languages:?Node.js
License:?Commercial (Free for a single user)
Official Website:?https://www.reshiftsecurity.com
A fast open-source code vulnerability scanner for 11 language support.?
Supported Languages:?C#, Go, Java, JavaScript, JSON, JSX, Python, Ruby, Scala, TSX, TypeScript
License:?Commercial (with Free Community Edition)
Official Website:?https://semgrep.dev
An enterprise-level DevSecOps solution contains a static code scanner for 11 languages and is nominated as "Challengers" in Magic Quadrant 2022.
Supported Languages:?JavaScript, Java (Gradle, Maven), .NET, Python, Golang, Swift, Objective-C (CocoaPods), Scala, Ruby, PHP, and Bazel
License:?Commercial (with Free Limited Test edition)
Official Website:?https://snyk.io/product/snyk-code/
A very popular static code scanner for 29 languages.
Supported Languages:?Java (including Android), C#, C, C++, JavaScript, TypeScript, Python, Go, Swift, COBOL, Apex, PHP, Kotlin, Ruby, Scala, HTML, CSS, ABAP, Flex, Objective-C, PL/I, PL/SQL, RPG, T-SQL, VB.NET, VB6, and XML?
License:?Commercial (with Free Community edition)
Official Website:?https://www.sonarqube.org/features/security/
It is an enterprise-level SAST tool that will provide automated feedback to your developers in the IDE and CI/CD pipeline. It is nominated as "Leaders" in Gartner Magic Quadrant 2022.
?Supported Languages:?Java, .NET and .NET Core, C#.NET and VB.NET, C and C++, TypeScript and JavaScript,?Node.js, React, Ember.js, and AngularJS, Swift and Objective-C applications, Kotlin, COBOL, Visual Basic 6, and RPG.
License:?Commercial?
Official Website:?https://www.veracode.com/security/static-code-analysis
Resources:
?
Anything I Missed?
So these are my favourite SAST tools, and now I'd like to hear from you:
?Is there any other SAST tool that you love… but didn't see in this article?
Or maybe you have a question. Either way, let me know by leaving a comment below right now.
Suphi Cankurt, I know this article is a little dated but curious if you know if there is a current product out there that can be run natively (or localized repository) installed to perform SAST and SCA affordably for a single developer. Language is C,C++ Thanks in advance.
CEO at #1 App Dev Company | Mentor TechStars & SeedStars | Part-Time Human :3
1 年Suphi, thanks for sharing!
APAC Channel Manager @ SmartBear India
2 年Thanks for sharing great compilation
Engineering and Product Leader | Aligning Technology and Security outcomes to business objectives | Defining emerging tech frameworks to create value
2 年Thanks for sharing. It’s a great list and seeing all the pros and cons in one list is great ??