Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Source Code Security Analyzers

[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]

For our purposes, a source code security analyzer

  1. examines source code to
  2. detect and report weaknesses that can lead to security vulnerabilities.

They are one of the last lines of defense to eliminate software vulnerabilities during development or after deployment. A Source Code Security Analysis Tool Functional Specification is available.

Byte Code Scanners and Binary Code Scanners have similarities, but work at lower levels.

Some Instances 

DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.

Please contact us if you think something should be included. If it has all the characteristics of the tool, techniques, etc., we will be happy to add it. You can contact us at samate(at)nist

Tool Language(s) Avail. CCR Finds or Checks for       updated      
ABASH Bash free   String expansion errors, option insertion errors, and other weaknesses that may lead to security vulnerabilities. Mar 2012
ApexSec Security Console PL/SQL(Oracle Apex) Recx   SQL Injection, Cross-Site Scripting, Access Control and Configuration issues within an Apex application  Mar 2010
Astrée C AbsInt   Sound runtime error analyzer finds code defects and security vulnerabilities, e.g., out-of-bounds array indexing, null-pointer dereferences, dangling pointers, divide-by-zeros, buffer overflows, data races. Also checks coding guidelines like MISRA C/C++, SEI CERT C, CWE, and ISO/IEC TS 17961:2013. Mar 2018
AttackFlow Java, C# AttackFlow   Authorization, authentication, session management, cryptographic issues, input validation, code quality, configuration, and other issues June 2017
BOON C free   integer range analysis determines if an array can be indexed outside its bounds Feb 2005
Brakeman Ruby on Rails free and Brakeman   Cross site scripting (XSS), SQL injection, Command injection, Unsafe file access, Unsafe mass assignment, Remote code execution, Cross site request forgery (CSRF), Authentication, File access, Open redirects, Session manipulation, etc. June 2017
CAST Application Intelligence Platform (AIP) ABAP, .NET, ASP.NET, VB.NET, C#, .NET Frameworks, LINQ to Objects, LINQ to DataSets, C and C++, Visual C, IBM DB2 SQC/SQC++, Cobol ANSI 85, JCL z/OS, IMS/DB, CICS, Java JDK, Java Server Faces, JSP, Struts Framework, Hibernate, JPA, EJB, Spring IoC, WSDL, CDI, JavaScript, HTML, XHTML, ASP, Microsoft VB, IBM DB2, Oracle PL/SQL, Postgress, MS SQL CAST   SQL Injection, Cross Site Scripting (XSS), Input Validation, Insecure Cryptographic Storage, Information Leakage and Improper Error Handling, Data Access, API Abuse, Encapsulation May 2017
C/C++test® C, C++ Parasoft   defects such as memory leaks, buffer issues, security issues and arithmetic issues, plus SQL injection, cross-site scripting, exposure of sensitive data and other potential issues Dec 2013
dotTEST™ C#, VB.NET, MC++
Jtest® Java
HP Code Advisor (cadvise) C, C++ HP   many lint-like checks plus memory leak, potential null pointer dereference, tainted data for file paths, and many others Dec 2013
CxSAST Java, JavaScript, PHP, C#, VB.NET, VB6, ASP.NET, C/C++, Apex, Ruby, Perl, Objective-C, Python, Groovy, HTML5, Swift, APEX, J2SE, J2EE Checkmarx   All OWASP Top 10 and SANS 25 vulnerabilities and compliance with PCI-DSS, HIPAA, and MISRA requirements along with custom queries, all with a low rate of false-positives and easy to integrate throughout the SDLC. Mar 2016
Clang Static Analyzer C, Objective-C free   Resports dead stores, memory leaks, null pointer deref, and more. Uses source annotations like "nonnull". Aug 2010
Closure Compiler JavaScript free   Removes dead code, checks syntax, variable references and types and warns about common JavaScript pitfalls. Feb 2014
Code Inspector Apex, C, C++, C#, Dart, Docker, Go, Java, Javascript, Kotlin, PHP, Python, Ruby, Scala, shellscript, Terraform, Typescript, YAML free and Code Inspector   Checks for security, safety, design, performance, documentation issues in the code. Combines and tunes output from multiple static analysis tools. Checks that the developer uses best practices, computes code quality measures and technical debt. Integrates into CI/CD and code repositories. Sep 2021
CodeCenter C ICS   incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables Apr 2011
CodePeer Ada AdaCore   detects uninitialized data, pointer misuse, buffer overflow, numeric overflow, division by zero, dead code, concurrency faults (race conditions), unused variables, etc. Apr 2010
CodeSecure ASP.NET, C#, PHP, Java, JSP, VB.NET, others Armorize Technologies   XSS, SQL Injection, Command Injection, tainted data flow, etc. Aug 2012
CodeSonar C and C++ GrammaTech   null-pointer dereferences, divide-by-zeros, buffer over- and underruns Nov 2012
Coverity C, C++, Java, C# Synopsys   flaws and security vulnerabilities - reduces false positives while minimizing the likelihood of false negatives.  Apr 2011
Cppcheck C, C++ free   pointer to a variable that goes out of scope, bounds, classes (missing constructors, unused private functions, etc.), exception safety, memory leaks, invalid STL usage, overlapping data in sprintf, division by zero, null pointer dereference, unused struct member, passing parameter by value, etc. Aims for no false positives. Feb 2010
CQual C free   User-defined types extend the C type system with type qualifiers to perform a taint analysis. Feb 2005
Csur C free   cryptographic protocol-related vulnerabilities Apr 2006


Go, Python, Java, JavaScript, Ruby, SQL, Shell, Docker, Terraform

free and DeepSource Corp.


All OWASP Top 10 security issues, hard-coded credentials, bug risks, anti-patterns, performance, and other issue categories. Integrates with GitHub and other code repositories. Integrates reports from test coverage tools.

June 2021
Dlint Python free   Checks for poor coding practices and security issues. Nov 2019
DerScanner Java, Java for Android, JavaScript, JSP, TypeScript, VBScript, Scala, HTML5, PHP, Python, Groovy, Kotlin, Go, Ruby, С#, C/C++, Objective-C, Swift, ABAP, Apex, Solidity, Vyper, PL/SQL, T-SQL, Visual Basic 6.0, Delphi, COBOL, 1С, VBA, ASP.NET, Perl, Rust DerSecur Ltd.   DerScanner is a static app code analyzer capable of identifying vulnerabilities and backdoors (undocumented features). Its distinctive feature is the ability to analyze not only source code, but also executables (i.e. binaries). Aims to detect almost all known defects leading to vulnerabilities. June 2020
DoubleCheck C, C++ Green Hills Software   like buffer overflows, resource leaks, invalid pointer references, and violations of ... MISRA Jul 2007
Enlightn PHP, Laravel free   SQL injection, mass assignment, Cross-site scripting (XSS), Cookie and session security, CSRF, unrestricted file uploads, directory traversal, open redirection, command injection, object injection, host injection, eval code injection, extract variable hijacking, security headers, app debug mode, encryption, authentication and vulnerable dependency scanning Jan 2021
FindBugs Java, Groovy, Scala free   Null pointer deferences, synchronization errors, vulnerabilities to malicious code, etc. It can be used to analyse any JVM languages.  The last version of FindBugs was released in March 2015 (In contrast, SpotBugs is being actively developed). Mar 2019
FindSecurityBugs Java, Groovy, Scala, Android apps free   Extends SpotBugs with more security detectors (Command Injection, XPath Injection, SQL/HQL Injection, Cryptography weakness and many more).  Mar 2019
Flawfinder C/C++ free   uses of risky functions, buffer overflow (strcpy()), format string ([v][f]printf()), race conditions (access(), chown(), and mktemp()), shell metacharacters (exec()), and poor random numbers (random()). 2005
Fortify Static Code Analyzer ASP.NET, C, C++, C# and other .NET languages, Swift, COBOL, Java, JavaScript/AJAX, JSP, PHP, PL/SQL, Python, T-SQL, XML, and others Micro Focus   security vulnerabilities, tainted data flow, etc. Mar 2019
GitLab SAST .NET, C/C++, Go, Java, JavaScript, PHP, Python, Ruby, Scala GitLab   Dangerous attributes in classes, unsafe code that can lead to code execution, injection attacks, etc. Nov 2020
Gosec Go free   Checks for security problems including hard-coded credentials, path traversal, insecure random number, etc. Mar 2019
Klocwork C, C++, Java, and C# Perforce   MISRA, AUTOSAR, Buffer overflow, un-validated user input, SQL injection, path injection, file injection, cross-site scripting, information leakage, weak encryption and vulnerable coding practices, as well as quality, reliability and maintainability issues. Aug 2019
Jlint Java free   bugs, inconsistencies, and synchronization problems Aug 2012
Kiuwan Abap, ActionScript, ASP.NET, C/C++, C#, Cobol, HTML, Java, Javascript, JSP, Objective-C, PHP, PowerScript, Python, RPG, VB6, Kiuwan   OWASP member, CWE certified, full compliance with SANS 25, PCI-DSS, HIPAA, WASC, MISRA-C, BIZEC, ISO 25000, ISO 9126, CERT-C, CERT-J. Over 4500 rules including: SQL injection, encryption and randomness, file handling, information leaks, number handling, control flow management, initialization and shutdown, design error, system element isolation, error handling and fault isolation, pointer and reference handling, misconfiguration, permissions, privileges and access controls, buffer handling Sep 2017
ObjectCenter C/C++ ICS   "run-time and static error detection ... more than 250 types of errors, including more than 80 run-time errors ... inter-module inconsistencies" Apr 2011
Offensive360 C#, Java, PHP, Javascript, TypeScript, React, Angular, Docker, XML, HTML, YAML, DLL Offensive360   Detect security vulnerabilities, perform malware analysis, license analysis, etc. Does not require building the source code. July 2021
Oversecured Java, Kotlin Oversecured Inc   A static SaaS-based vulnerability scanner for Android apps (APK files), supports apps written in Java and Kotlin. Also allows integration into DevOps processes. Aug 2020
Parfait C/C++ ? Oracle proprietary     Apr 2013
PLSQLScanner 2008 PLSQL Red-Database-Security   SQL Injection, hardcoded passwords, Cross-site scripting (XSS), etc. Jun 2008
PHP-Sat PHP free   static analysis tool, XSS, etc. description Sep 2006
Pixy PHP free   static analysis tool, only detect XSS and SQL Injection. No home page? Jun 2014
PMD Java free   questionable constructs, dead code, duplicate code June 2018
Polyspace Bug Finder C, C++ MathWorks   defects such as static and dynamic memory problems (null pointer, memory leaks, buffer issues…) as well as data flow, concurrency, security (cryptography, tainted data) issues. The product also checks for coding rule violations, and computes code metrics. Oct 2018
Polyspace Code Prover Ada, C, C++ MathWorks   proves the absence of run-time errors, detects dead-code. The product also checks for coding rule violations, and computes code metrics. Oct 2018
PREfix and PREfast C, C++ Microsoft proprietary     Feb 2006
Progpilot PHP free (MIT License)   Security vulnerabilities, including XSS, SQL injection, code injection, etc. Sources, sinks, sanitizers, and validators are user-configurable. Oct 2018
PT Application Inspector .Net, C#, PHP, Java, JS, C, Mobile languages Positive Technologies   Security vulnerabilities, focusing on web application vulnerabilities, including SQL injection, remote code execution, resource injection, command injection, XML external entity, XSS, and more. Dec 2018
PVS-Studio C, C++, C#, Java Program Verification Systems   PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms. July 2019
pylint Python free   Checks for errors and looks for bad code smells. Feb 2014
QA-C, QA-C++, QA-J C, C++, Java PRQA   A suite of static analysis tools, with over 1400 messages. Detects a variety of problems from undefined language features to redundant or unreachable code. Aug 2017
Qualitychecker VB6, Java, C# Qualitychecker   static analysis tool Sep 2007
AppScan C, C++, Java, JSP, ASP.NET, C#, Perl, JavaScript, PHP, Python, etc. HCL Software   coding errors, security vulnerabilities, design flaws, policy violations and offers remediation 2019
RATS (Rough Auditing Tool for Security) C, C++, Perl, PHP, Python free   potential security risks Sep 2013
Reshift Java free   Command Injection, XPath Injection, SQL Injection, Cryptography weaknesses, etc. Software as a Service (SaaS) with ability to integrate into GitHub and other code repositories. Nov 2018
Resource Standard Metrics (RSM) C, C++, C#, and Java M Squared Technologies   Scan for 50 readability or portability problems or questionable constructs, e.g. different number of "new" and "delete" key words or an assignment operator (=) in a conditional (if). Apr 2011
RIPS Java, PHP free and RIPS Tech   Language-specific analysis to detect complex security vulnerabilities, code quality issues and misconfigurations listed in PCI DSS, OWASP Top 10, ASVS, SANS 25, CWE. Integrate into CI/CD, IDE, build, bug tracker and other tools. May 2019
Roslyn Security Guard C# free   SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords, etc. It will find vulnerabilities and in some cases suggest automated fixes. Nov 2016
Semgrep Go, Java, JavaScript, JSON, Python free and r2c   Lightweight static analysis tool for enforcing code standards, finding runtime errors, logic bugs, security vulnerabilities, etc. Developers can use a large registry of rules or write custom rules. Nov 2020
Smatch C free   simple scripts look for problems in simplified representation of code. primarily for Linux kernel code Apr 2006
Snyk Code Java, JavaScript, TypeScript, Python, Frameworks free and Snyk Limited   Real time semantic code analysis based on machine learning. Hard coded secrets, coding issues such as dead code, type inference, division-by-zero, null dereference, data flow issues, API misuse, race conditions, type mismatches, etc. Integration into IDE, Git, CI/CD. July 2021
SonarQube Java, C#, PHP, Python, JavaScript, TypeScript, Kotlin, Ruby, Go, Scala, HTML, CSS, XML, VB.NET, Flex. Paid versions support additional languages: C, C++, Swift, Objective-C, T-SQL, PL/SQL, Apex, COBOL, ABAP, RPG, PL/I free and SonarSource   Finds vulnerabilities, bugs and code smells. Continuous inspection. Clean as you code. Tracks code complexity, unit test coverage and duplication. Nov 2019
SPARK tool set SPARK (Ada subset) AdaCode   ambiguous constructs, data- and information-flow errors, any property expressible in first-order logic (Examiner, Simplifier, and SPADE) Nov 2017
Sparrow SASTSaaS C/C++, Java, JSP, JavaScript, C#, ASP(.NET), Objective-C, PHP, VB.NET, VBScript, HTML, SQL, XML Sparrow   OWASP Top 10, SANS 25, CWE, CERT vulnerabilities, MISRA, efficient and effective issue management based on machine learning technology Software as a Service Oct 2020
Splint C free   security vulnerabilities and coding mistakes. with annotations, it performs stronger checks 2005
SpotBugs Java free   A successor to FindBugs. Checks for more than 400 bug patterns, including XSS, HTTP response splitting, path traversal, hardcoded password, Null dereference, etc. Mar 2019
Static Reviewer C#, Vb.NET, VB6, ASP, ASPX, Java, JSP, JavaScript, TypeScript, eScript, Svelte, APEX, Java Server Faces, Ruby, Python, R, GO, Kotlin, Clojure, Groovy, Flex, ActionScript, PowerShell, Rust, LUA, Auto-IT, HTML5, XML, XPath, C, C++, PHP, SCALA, Objective-C, Objective-C++, SWIFT, IBM Streams Processing Language, Shell, BPMN, BPEL, UiPath, SAIL, COBOL, JCL, RPG, PL/I, ABAP, SAP-HANA, PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL, ANSI SQL, IBM DB2, IBM Informix, SAP Sybase, HP Vertica, MySQL, FireBird, PostGreSQL, SQLite, MongoDB, HQL Security Reviewer   Provides security checks in compliance with OWASP, CWE, CVE, CVSS, MISRA, CERT. Available as a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries May 2020
C, C++, Java, Ada, Assembler LDRA   The TBsecure module for LDRA Testbed comes with the Carnegie Mellon Software Engineering Institute (SEI) CERT C secure coding standard. TBsecure identifies concerns such as buffer overflow, out-of-bounds array access, dangling pointers, double-free, and dereferencing null pointer. Other modules handle High Intergrity C++, HIS, IPA/SEC C, JSF++ AV, MISRA C/C++, and Netrino C. 2017
DefenseCode ThunderScan C#, Java, PHP, ASP, VB.Net, Visual Basic, VBScript, Python, Ruby, Javascript, Node.js, Android Java, IOS Objective C, PL/SQL, C, C++, ColdFusion, Typescript, Groovy, Cobol, Go, SAP/ABAP, ASP.Net, SQL and HTML DefenseCode   More than 60 vulnerability types, including SQL injection, XPATH injection, file disclosure, mail relay, page inclusion, dangerous configuration settings, code injection, dangerous file extensions, shell command execution, dangerous functions, cross site scripting, arbitrary server connection, weak encryption, HTTP response splitting, information leaks, LDAP injection. December 2020
UNO C free   uninitialized variables, null-pointers, and out-of-bounds array indexing and "allows for the specification and checking of a broad range of user-defined properties". aims for a very low false alarm rate.  Oct 2007
Vet Go free   Checks for suspicious constructs, such Printf format string inconsistencies, unreachable code, etc. Mar 2019
Xanitizer Java, Scala, JavaScript, TypeScript, JSP, JSF, Angular RIGS IT GmbH   More than 100 vulnerability types, including SQL injection, XPATH injection, cross-site scripting (XSS), XML external entities (XXE), use of vulnerable libraries, privacy leaks, hard-coded credentials, unsecured cookies, weak cryptography, resource leaks, path traversal, URL redirection July 2020
xg++ C unk   kernel and device driver vulnerabilities in Linux and OpenBSD through range checking, etc. Feb 2005
Yasca Java, C/C++, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, etc. free   a "glorified grep" and aggregator of other tools, including: FindBugs, PMD, JLint, JavaScript Lint, PHPLint, CppCheck, ClamAV, RATS, and Pixy. "It is designed to be very flexible and easy to extend. ... writing a new rule is as easy as coming up with a regular expression" Mar 2020
WAP PHP free   Finds or checks for: SQL Injection (SQLI) / Cross-site scripting (XSS) / Remote File Inclusion (RFI) / Local File Inclusion (LFI) / Directory Traversal or Path Traversal (DT/PT) / Source Code Disclosure (SCD) / OS Command Injection (OSCI) / PHP Code Injection Jan 2016

Other Lists 

Created March 23, 2021, Updated September 3, 2021