Static Application Security Testing Tools
Static Application Security Testing (SAST) tools for static code analysis that detect security vulnerabilities and coding flaws in source code during development.
Browse 161 static application security testing tools
FEATURED
USE CASES
Code security and quality platform with SAST, SCA, DAST, and AI code protection
Real-time vulnerability detection and automated fixing for AI-generated code
A tool for redirecting HTTP and HTTPS requests to other URLs.
Using high-quality entropy sources for CSPRNG seeding is crucial for security.
Terrascan is a static code analyzer that scans Infrastructure as Code for security misconfigurations and compliance violations across multiple cloud platforms and container environments.
cfn-nag is a static analysis tool that scans AWS CloudFormation templates to identify security vulnerabilities and misconfigurations in infrastructure-as-code.
A static code analysis tool for parsing common data formats to detect hardcoded credentials and dangerous functions.
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets in git repos.
DumpsterDiver analyzes large datasets to detect hardcoded secrets, keys, and passwords using entropy calculations and customizable search rules.
ASH is an automated security scanning tool that integrates multiple open-source security scanners to perform preliminary security checks on code, infrastructure, and IAM configurations during development.
Prevents you from committing passwords and other sensitive information to a git repository.
A Python command line tool that scans directories for AWS credentials in files, designed for CI/CD integration to prevent credential exposure in builds.
StaCoAn is a cross-platform tool for static code analysis on mobile applications, emphasizing the identification of security vulnerabilities.
A collection of vulnerable web application test cases designed to benchmark and evaluate the effectiveness of static security analyzers and penetration testing tools.
Protect against Prototype Pollution vulnerabilities in your application by freezing JavaScript objects.
A bash script that analyzes executable files to check security properties like PIE, RELRO, canaries, ASLR, and Fortify Source protections.
DroidRA is an instrumentation-based Android security analysis tool that improves the accuracy of reflective call analysis through composite constant propagation techniques.
A PHP 5.x polyfill for random_bytes() and random_int() created by Paragon Initiative Enterprises.
UglifyJS 3 is a JavaScript toolkit that provides parsing, minification, compression, and beautification capabilities for JavaScript code optimization and processing.
Betterscan is an orchestration toolchain that coordinates multiple security tools to scan source code and infrastructure as code for security vulnerabilities, compliance risks, secrets, and misconfigurations.
Dependencies is an open-source modern replacement for Dependency Walker that helps Windows developers analyze and troubleshoot DLL load dependency issues.
ESLint plugin to prevent Trojan Source attacks.
Detect trojan source attacks that employ unicode bidi attacks to inject malicious code.
Articles About Static Application Security Testing
Tool roundups, buying guides, and strategic analysis from the CybersecTools resource library.
Static Application Security Testing Tools FAQ
Common questions about Static Application Security Testing tools, selection guides, pricing, and comparisons.
Reduce false positives by: tuning rules to your technology stack and coding patterns, using incremental scanning (only scan changed code), establishing a baseline and triaging existing findings, integrating SAST results with IAST or DAST to validate findings at runtime, and configuring suppressions for known safe patterns specific to your codebase.
Yes. Out of 24 static application security testing tools listed on CybersecTools, 22 are free and 2 are commercial. Free tools work well for small teams, testing, and budget-conscious organizations. Commercial tools typically add enterprise features, dedicated support, and SLA guarantees.
