Loading...
Static Application Security Testing (SAST) scans source code, bytecode, or binaries for security flaws without running the application, tracing how untrusted data moves through your codebase to flag injection, hardcoded secrets, broken auth, and unsafe API use. It is the white-box counterpart to DAST, and it lives early in the SDLC where fixes are cheapest. Security teams and engineering leaders use SAST to catch vulnerable code patterns in the IDE and pull request before they ever reach a running environment. The hard part is not finding issues; it is finding the real ones without burying developers in noise.
We cover 98 Static Application Security Testing tools, 35 free and 63 commercial.
Accuracy and depth improve over time. Last reviewed Jul 2026. Is something off? Reach out.
Using high-quality entropy sources for CSPRNG seeding is crucial for security.
cfn-nag is a static analysis tool that scans AWS CloudFormation templates to identify security vulnerabilities and misconfigurations in infrastructure-as-code.
A collection of vulnerable web application test cases designed to benchmark and evaluate the effectiveness of static security analyzers and penetration testing tools.
DroidRA is an instrumentation-based Android security analysis tool that improves the accuracy of reflective call analysis through composite constant propagation techniques.
A PHP 5.x polyfill for random_bytes() and random_int() created by Paragon Initiative Enterprises.
UglifyJS 3 is a JavaScript toolkit that provides parsing, minification, compression, and beautification capabilities for JavaScript code optimization and processing.
Betterscan is an orchestration toolchain that coordinates multiple security tools to scan source code and infrastructure as code for security vulnerabilities, compliance risks, secrets, and misconfigurations.
ESLint plugin to prevent Trojan Source attacks.
Detect trojan source attacks that employ unicode bidi attacks to inject malicious code.
A library for forward compatibility with PHP password functions.
A library for generating random numbers and strings of various strengths, useful in security contexts.
Insider is an open-source CLI tool that performs static source code analysis to detect OWASP Top 10 vulnerabilities across multiple programming languages including Java, Kotlin, Swift, .NET, C#, and JavaScript.
JSON.parse() drop-in replacement with prototype poisoning protection.
JAADAS is a powerful tool for static analysis of Android applications, providing features like API misuse analysis and inter-procedure dataflow analysis.
A static analysis tool that detects Common Weakness Enumerations (CWEs) in ELF binaries across multiple CPU architectures using Ghidra-based disassembly and various analysis techniques.
A Fastify plugin that provides utilities and middleware to protect web applications against Cross-Site Request Forgery (CSRF) attacks.
A vulnerable web site in NodeJS for testing security source code analyzers.
Checkov is a static analysis tool that scans infrastructure as code and performs software composition analysis to detect security misconfigurations and vulnerabilities in cloud infrastructure and dependencies.
Static security code scanner (SAST) for Node.js applications with Docker support and integrations with Slack.
A Node.js library for validating environment variables and providing immutable access to configuration values in applications.
A CLI tool that performs security assessments on Joi validator schemas by testing them against various attack vectors including XSS, SQL injection, RCE, and SSRF.
A security-focused general purpose memory allocator providing the malloc API with hardening against heap corruption vulnerabilities.
Tool roundups, buying guides, and strategic analysis from the CybersecTools resource library.
Common questions about Static Application Security Testing tools, selection guides, pricing, and comparisons.
SAST analyzes an application's source code, bytecode, or compiled binaries without executing it, looking for security weaknesses like SQL injection, cross-site scripting, hardcoded credentials, and unsafe deserialization. It uses data flow and taint analysis to follow untrusted input from entry points to sensitive sinks. Because it inspects code directly, it pinpoints the exact file and line, which makes it well suited to running inside developer workflows.
SAST is white-box: it reads your code and finds flaws in code you wrote. DAST is black-box: it attacks a running application from the outside and finds runtime issues SAST cannot see, like server misconfiguration. SCA scans your dependencies for known CVEs in third-party and open source packages. They overlap very little, so most mature programs run all three rather than picking one.
Start with language and framework coverage for your actual stack, then weigh false positive rate, because a noisy scanner gets ignored. Check how cleanly it fits your pipeline: IDE plugins, pull request comments, and CI gating. Look at scan speed, the quality of remediation guidance, and whether findings map to standards like OWASP or CWE. Run a proof of concept against your own repositories before committing.
Open source scanners like Semgrep CE and language-specific linters cover a lot of ground and are excellent for teams comfortable writing and tuning their own rules. Commercial tools generally add deeper interprocedural analysis, broader language support, managed rule sets, triage workflows, and vendor support. Many teams start with open source, then move to a commercial platform when noise management and compliance reporting become the bottleneck.
Static analysis reasons about all possible code paths without runtime context, so it flags conditions that may never actually occur, like input that is sanitized in a way the analyzer cannot trace. The fix is tooling that supports tuning: suppressions, custom rules, framework awareness, and reachability or context analysis that distinguishes exploitable findings from theoretical ones. Lower noise directly drives developer adoption.