Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Source Code Security Analyzers
[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]
For our purposes, a source code security analyzer
- examines source code to
- detect and report weaknesses that can lead to security vulnerabilities.
They are one of the last lines of defense to eliminate software vulnerabilities during development or after deployment. A Source Code Security Analysis Tool Functional Specification is available.
Byte Code Scanners and Binary Code Scanners have similarities, but work at lower levels.
Some Instances
DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
Please contact us if you think something should be included. If it has all the characteristics of the tool, techniques, etc., we will be happy to add it. You can contact us at samate(at)nist
| Tool | Language(s) | Avail. | CCR | Finds or Checks for | Updated |
|---|---|---|---|---|---|
| ABASH | Bash | free | String expansion errors, option insertion errors, and other weaknesses that may lead to security vulnerabilities. | Mar 2012 | |
| ApexSec Security Console | PL/SQL(Oracle Apex) | Recx | SQL Injection, Cross-Site Scripting, Access Control and Configuration issues within an Apex application | Mar 2010 | |
| AppScan | C, C++, Java, JSP, ASP.NET, C#, Perl, JavaScript, PHP, Python, etc. | HCL Software | coding errors, security vulnerabilities, design flaws, policy violations and offers remediation | 2019 | |
| Astrée | C | AbsInt | Sound runtime error analyzer finds code defects and security vulnerabilities, e.g., out-of-bounds array indexing, null-pointer dereferences, dangling pointers, divide-by-zeros, buffer overflows, data races. Also checks coding guidelines like MISRA C/C++, SEI CERT C, CWE, and ISO/IEC TS 17961:2013. | Mar 2018 | |
| AttackFlow | Java, C# | AttackFlow | Authorization, authentication, session management, cryptographic issues, input validation, code quality, configuration, and other issues | Jun 2017 | |
| Bearer | JavaScript, Ruby | Bearer | Map sensitive data flows and identify data security risks such as unauthorized data flow, missing encryption, unauthorized access, and more. | Mar 2023 | |
| BOON | C | free | integer range analysis determines if an array can be indexed outside its bounds | Feb 2005 | |
| Brakeman | Ruby on Rails | free | Cross site scripting (XSS), SQL injection, Command injection, Unsafe file access, Unsafe mass assignment, Remote code execution, Cross site request forgery (CSRF), Authentication, File access, Open redirects, Session manipulation, etc. | Jun 2017 | |
| CAST Application Intelligence Platform (AIP) | ABAP, .NET, ASP.NET, VB.NET, C#, .NET Frameworks, LINQ to Objects, LINQ to DataSets, C and C++, Visual C, IBM DB2 SQC/SQC++, Cobol ANSI 85, JCL z/OS, IMS/DB, CICS, Java JDK, Java Server Faces, JSP, Struts Framework, Hibernate, JPA, EJB, Spring IoC, WSDL, CDI, JavaScript, HTML, XHTML, ASP, Microsoft VB, IBM DB2, Oracle PL/SQL, Postgress, MS SQL | CAST | SQL Injection, Cross Site Scripting (XSS), Input Validation, Insecure Cryptographic Storage, Information Leakage and Improper Error Handling, Data Access, API Abuse, Encapsulation | May 2017 | |
| C/C++test® | C, C++ | Parasoft | defects such as memory leaks, buffer issues, security issues and arithmetic issues, plus SQL injection, cross-site scripting, exposure of sensitive data and other potential issues | Dec 2013 | |
| dotTEST™ | C#, VB.NET, MC++ | ||||
| Jtest® | Java | ||||
| CodeThreat | C#, ASP.NET, Java, JSP, JavaScript, TypeScript, Android, C, C++, ColdFusion, XML | CodeThreat | Finds vulnerabilities that could lead to impacts such as injection, XSS, code execution, authentication bypass, unauthorized data access, etc. Analyzes the root causes of these weaknesses, focusing on areas such as secure development practices, validation processes, configuration management, and cryptography, code quality, among others. Identifies security weaknesses across several standards including HIPAA, CWE, PCI DSS, OWASP Top 10, and ISO27001. Integration with CI/CD pipelines complements a robust DevSecOps strategy, and AI-powered features provide actionable insights with code fix suggestions and potential attack scenarios, helping developers remediate identified issues promptly. | Nov 2023 | |
| CodeValor | Fortran, Java, C/C++, Ada, Python, JavaScript, TypeScript, C#, GoLang | Sentar | Checks for coding standard violations, undefined values, syntax violations, security vulnerabilities, including injection, overflow, dead code, race conditions, etc. Ability to correlate scan findings to CWEs and STIGs. Provides a report generation capability that produces a summary style report as well as an exportable POA&M Excel file. Approved for DoD Platform One Iron Bank and can be run on-premises or in a cloud/virtual environment. Findings can be filtered and sorted by impact rating, file name, and CWE. supports repositories from GitHub, GitLab, and BitBucket. CI/CD pipeline integration. | Feb 2023 | |
| CxSAST | Java, JavaScript, PHP, C#, VB.NET, VB6, ASP.NET, C/C++, Apex, Ruby, Perl, Objective-C, Python, Groovy, HTML5, Swift, APEX, J2SE, J2EE | Checkmarx | All OWASP Top 10 and SANS 25 vulnerabilities and compliance with PCI-DSS, HIPAA, and MISRA requirements along with custom queries, all with a low rate of false-positives and easy to integrate throughout the SDLC. | Mar 2016 | |
| Clang Static Analyzer | C, Objective-C | free | Resports dead stores, memory leaks, null pointer deref, and more. Uses source annotations like "nonnull". | Aug 2010 | |
| Closure Compiler | JavaScript | free | Removes dead code, checks syntax, variable references and types and warns about common JavaScript pitfalls. | Feb 2014 | |
| Codiga | Apex, C, C++, C#, Dart, Docker, Go, Java, Javascript, Kotlin, PHP, Python, Ruby, Scala, shellscript, Terraform, Typescript, YAML | free and Codiga | Checks for security, safety, design, performance, documentation issues in the code. Combines and tunes output from multiple static analysis tools. Checks that the developer uses best practices, computes code quality measures and technical debt. Integrates into CI/CD and code repositories. | Dec 2021 | |
| CodeCenter | C | ICS | incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables | Apr 2011 | |
| CodePeer | Ada | AdaCore | detects uninitialized data, pointer misuse, buffer overflow, numeric overflow, division by zero, dead code, concurrency faults (race conditions), unused variables, etc. | Apr 2010 | |
| CodeSecure | ASP.NET, C#, PHP, Java, JSP, VB.NET, others | Armorize Technologies | XSS, SQL Injection, Command Injection, tainted data flow, etc. | Aug 2012 | |
| CodeSonar | C/C++, C#, Java, Android | CodeSecure | Data Races, Deadlocks, Thread Starvation, Buffer Overruns, Buffer Overflow, Leaks, Null Pointer Dereferences, Divide By Zero, Use After Free, Free of Non-Heap Variables, Uninitialized Variables, Returns of Pointers to Local, Returns of Pointers to Free, Free of Null Pointer, Unreachable Code, Try-locks that Cannot Succeed, Misuse of Memory Allocation, Misuse of Memory Copying, Misuse of Libraries, Command Injection, User-Defined Bug Classes, Runtime Error, Double Free, etc. | Feb 2024 | |
| Corgea | Go, Java, Javascript, PHP, Python, Ruby, Typescript, C#, Kotlin, C, C++ | Corgea | AI-powered SAST scanner that finds business logic flaws, broken authentication, API vulnerabilities, and more. Additionally, it automatically suggests security fixes. Integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. | Mar 2025 | |
| Coverity | C/C++, C#, Java, Apex, CUDA, JavaScript, TypeScript, Python, PHP, Go, Ruby, Swift, Fortran, Kotlin, and others | Synopsys | Identifies a wide variety of software quality defects and security vulnerabilities including comprehensive OWASP Top 10 and CWE Top 25 coverage, hardcoded secrets detection, unsafe data handling, race conditions, injection vulnerabilities, and resource leaks. Runs in CI/CD, IDE or build environment. MISRA, CERT and AUTOSAR support. | Apr 2023 | |
| Cppcheck | C, C++ | free | pointer to a variable that goes out of scope, bounds, classes (missing constructors, unused private functions, etc.), exception safety, memory leaks, invalid STL usage, overlapping data in sprintf, division by zero, null pointer dereference, unused struct member, passing parameter by value, etc. Aims for no false positives. | Feb 2010 | |
| CQual | C | free | User-defined types extend the C type system with type qualifiers to perform a taint analysis. | Feb 2005 | |
| Credential Digger | Any source code | SAP | Identifies hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, etc.), filtering false positives using its open-source machine learning model (Password Model). | Mar 2023 | |
| Csur | C | free | cryptographic protocol-related vulnerabilities | Apr 2006 | |
| DeepSource | Go, Python, Java, JavaScript, Ruby, SQL, Shell, Docker, Terraform | free and DeepSource Corp. | All OWASP Top 10 security issues, hard-coded credentials, bug risks, anti-patterns, performance, and other issue categories. Integrates with GitHub and other code repositories. Integrates reports from test coverage tools. | Jun 2021 | |
| DefenseCode ThunderScan | C#, Java, PHP, ASP, VB.Net, Visual Basic, VBScript, Python, Ruby, Javascript, Node.js, Android Java, IOS Objective C, PL/SQL, C, C++, ColdFusion, Typescript, Groovy, Cobol, Go, SAP/ABAP, ASP.Net, SQL and HTML | DefenseCode | More than 60 vulnerability types, including SQL injection, XPATH injection, file disclosure, mail relay, page inclusion, dangerous configuration settings, code injection, dangerous file extensions, shell command execution, dangerous functions, cross site scripting, arbitrary server connection, weak encryption, HTTP response splitting, information leaks, LDAP injection. | Dec 2020 | |
| DerScanner | ABAP, Apex, C, C#, C++, COBOL, Dart, Go, Groovy, HTML, HTML5, Java, Scala, Kotlin, JavaScript, TypeScript, LotusScript, Delphi, Pascal, PHP, SQL, PL/SQL, T-SQL, Python 2, Python 3, Perl, Ruby, Rust, Solidity, Objective-C, Swift, TSX, Vyper, 1C, YAML, TOML, XML, Bash, Powershell, Visual Basic .Net, VBA (Visual Basic for Applications), VBScript (Visual Basic Script), Visual Basic 6 | DerSecur Ltd. | Identifies vulnerabilities and backdoors using various analysis methods (SAST, DAST, SCA). DerScanner SAST module can perform static analysis not only of the source code, but also of executable files (binary code). In addition to the static analysis module, DerScanner includes a dynamic analysis module that can analyze web applications for vulnerabilities by simulating malicious external attacks and exploiting common vulnerabilities. Also provides a correlation between static and dynamic analysis results so that the vulnerabilities found using the static method can be dynamically validated. Provides flexible on-premises or cloud deployment, seamless CI/CD integration. | Mar 2025 | |
| Dlint | Python | free | Checks for poor coding practices and security issues. | Nov 2019 | |
| DoubleCheck | C, C++ | Green Hills Software | like buffer overflows, resource leaks, invalid pointer references, and violations of ... MISRA | Jul 2007 | |
| Enlightn | PHP, Laravel | free | SQL injection, mass assignment, Cross-site scripting (XSS), Cookie and session security, CSRF, unrestricted file uploads, directory traversal, open redirection, command injection, object injection, host injection, eval code injection, extract variable hijacking, security headers, app debug mode, encryption, authentication and vulnerable dependency scanning | Jan 2021 | |
| FindBugs | Java, Groovy, Scala | free | Null pointer deferences, synchronization errors, vulnerabilities to malicious code, etc. It can be used to analyse any JVM languages. The last version of FindBugs was released in March 2015 (In contrast, SpotBugs is being actively developed). | Mar 2019 | |
| FindSecurityBugs | Java, Groovy, Scala, Android apps | free | Extends SpotBugs with more security detectors (Command Injection, XPath Injection, SQL/HQL Injection, Cryptography weakness and many more). | Mar 2019 | |
| Flawfinder | C/C++ | free | uses of risky functions, buffer overflow (strcpy()), format string ([v][f]printf()), race conditions (access(), chown(), and mktemp()), shell metacharacters (exec()), and poor random numbers (random()). | 2005 | |
| Flawnter | C/C++, C#, Java, Javascript, NodeJS, PHP, Kotlin, Golang, Python, Perl, Ruby, Objective-C, Swift, SAP ABAP | CyberTest | Code Execution (RCE, ACE and more), Injection (SQL, XML, LOG and more), Cross-Site Scripting (Reflected and Stored), Buffer Over-read/Over-run/overflow, Security Misconfiguration, Sensitive Data Exposure, Insufficient Cryptography, Insecure Communication, Broken Access Control, Broken Authentication, Hard Coded Passwords, Incorrect Function Usage, Path Traversal Attacks, File Manipulation, Memory Leaks, Deadlocks, Race Conditions, etc. Also analyzes Windows executables. | Nov 2023 | |
| Fortify Static Code Analyzer | ASP.NET, C, C++, C# and other .NET languages, Swift, COBOL, Java, JavaScript/AJAX, JSP, PHP, PL/SQL, Python, T-SQL, XML, and others | Micro Focus | security vulnerabilities, tainted data flow, etc. | Mar 2019 | |
| Frama-C | C | Free | Runtime errors (exhaustive checking of buffer overflows, null/dangling pointer usage, division by zero, uninitialized memory access, use-after-free, and others); checks information flow via taint analysis; enables specification and proof of functional security properties. Checkers operate both via static analysis and runtime monitoring. | Feb 2022 | |
| GitGuardian for Internal Repositories Monitoring | Language agnostic, binary files excluded | Free and GitGuardian | Hardcoded credentials. Automates secrets detection and remediation throughout the software development lifecycle. | Nov 2021 | |
| GitLab SAST | .NET, C/C++, Go, Java, JavaScript, PHP, Python, Ruby, Scala | GitLab | Dangerous attributes in classes, unsafe code that can lead to code execution, injection attacks, etc. | Nov 2020 | |
| Gosec | Go | free | Checks for security problems including hard-coded credentials, path traversal, insecure random number, etc. | Mar 2019 | |
| Helix QAC | C and C++ | Perforce | Focused on the tightly regulated and safety-critical industries, such as automotive, aerospace and defense, rail, and medical devices. Organizations that need to meet rigorous compliance requirements and verify compliance with coding standards — such as MISRA and AUTOSAR — and functional safety standards, such as ISO 26262 have implemented the tool. Certified for functional safety compliance by TÜV-SÜD, including IEC 61508, ISO 26262, EN 50128, IEC 60880, and IEC 62304. In addition, it is certified in ISO 9001 and TickIT plus Foundation Level. Supports most compilers and integrates with IDEs, version control systems, and continuous integration build servers. Developers can prioritize coding issues based on severity, use filters, suppressions, and create custom rules. | Jan 2022 | |
| HP Code Advisor (cadvise) | C, C++ | HP | many lint-like checks plus memory leak, potential null pointer dereference, tainted data for file paths, and many others | Dec 2013 | |
| JFrog SAST | Java, JavaScript, TypeScript, Python, Go | JFrog | JFrog SAST identifies issues such as SQL injection, command injection, SSRF, and unsafe API usage in critical operations like encryption and file handling. Focused on detecting zero-day vulnerabilities in source code, minimizing false positives. With integrations into IDEs, Git, and CI/CD pipelines, it enables developers to identify and address vulnerabilities early in the development lifecycle. | Dec 2024 | |
| Jlint | Java | free | bugs, inconsistencies, and synchronization problems | Aug 2012 | |
| Klocwork | C, C++, C#, Java, JavaScript, Python | Perforce | Identifies software security, quality, and reliability issues helping to enforce compliance with standards. Checks for security vulnerability types: SQL Injection, Tainted Data, Buffer Overflow, Vulnerable Coding Practices, and many more. Checks for bugs, quality issues, code smells: Null Pointer Dereferences/Exceptions, Memory/Resource Leaks, Uncaught Exceptions, and many more. Built for enterprise DevOps and DevSecOps, integrates with large complex environments, a wide range of developer tools, and provides control, collaboration, and reporting. Differential Analysis engine provides instant analysis results and integrates seamlessly with CI/CD pipelines to automate Continuous Compliance. | Jan 2022 | |
| Kiuwan | Abap, ActionScript, ASP.NET, C/C++, C#, Cobol, HTML, Java, Javascript, JSP, Objective-C, PHP, PowerScript, Python, RPG, VB6, VB.net | Kiuwan | OWASP member, CWE certified, full compliance with SANS 25, PCI-DSS, HIPAA, WASC, MISRA-C, BIZEC, ISO 25000, ISO 9126, CERT-C, CERT-J. Over 4500 rules including: SQL injection, encryption and randomness, file handling, information leaks, number handling, control flow management, initialization and shutdown, design error, system element isolation, error handling and fault isolation, pointer and reference handling, misconfiguration, permissions, privileges and access controls, buffer handling | Sep 2017 | |
| Lucent Sky AVM | .NET (C# and VB.NET), ASP, Android (C#, Java, and Kotlin), C and C++, ECMAScript, Go, iOS (C#, Objective-C, and Swift), JDK (Groovy, Java, and Scala), PHP, Python, Ruby, Visual Basic | Lucent Sky | Automatically finds and fixes application vulnerabilities, including cross-site scripting, SQL injection, path manipulation, etc., in source code. | Mar 2023 | |
| ObjectCenter | C/C++ | ICS | "run-time and static error detection ... more than 250 types of errors, including more than 80 run-time errors ... inter-module inconsistencies" | Apr 2011 | |
| Offensive360 | C#, Java, PHP, Javascript, TypeScript, React, Angular, Docker, XML, HTML, YAML, DLL | Offensive360 | Detect security vulnerabilities, perform malware analysis, license analysis, etc. Does not require building the source code. | Jul 2021 | |
| Oversecured | Java, Kotlin, Swift | Oversecured Inc | Enterprise vulnerability scanner for Android and iOS apps. Integrates into the development process to help app owners and developers secure each new version of the mobile app. | Dec 2021 | |
| Parfait | C/C++ ? | Oracle proprietary | Apr 2013 | ||
| PHP-Sat | PHP | free | static analysis tool, XSS, etc. description | Sep 2006 | |
| Pixy | PHP | free | static analysis tool, only detect XSS and SQL Injection. No home page? | Jun 2014 | |
| PLSQLScanner 2008 | PLSQL | Red-Database-Security | SQL Injection, hardcoded passwords, Cross-site scripting (XSS), etc. | Jun 2008 | |
| PMD | Java | free | questionable constructs, dead code, duplicate code | Jun 2018 | |
| Polyspace Bug Finder | C, C++ | MathWorks | Identifies security vulnerabilities, runtime errors, concurrency issues, and other C and C++ source code defects. Analyzes software control flow, data flow, and interprocedural behavior using static analysis, including semantic analysis. Checks compliance with coding rule standards such as CERT C, CERT C++, CWE, MISRA C, MISRA C++, AUTOSAR C++14, and custom naming conventions. To measure code maintainability, it computes code quality metrics, including cyclomatic complexity. | Mar 2023 | |
| Polyspace Code Prover | Ada, C, C++ | MathWorks | Uses static analysis and abstract interpretation based on formal methods to exhaustively verify each code statement against runtime correctness to prove the absence of critical security vulnerabilities such as buffer overflows, numerical overflows, divide-by-zero, and other runtime errors in C, C++, and Ada source code. Performs value range analysis to provide runtime information at each statement. It generates the exhaustive runtime function call tree and global memory access table to facilitate control and data flow analysis. | Mar 2023 | |
| PREfix and PREfast | C, C++ | Microsoft proprietary | Feb 2006 | ||
| Progpilot | PHP | free (MIT License) | Security vulnerabilities, including XSS, SQL injection, code injection, etc. Sources, sinks, sanitizers, and validators are user-configurable. | Oct 2018 | |
| PT Application Inspector | .Net, C#, PHP, Java, JS, C, Mobile languages | Positive Technologies | Security vulnerabilities, focusing on web application vulnerabilities, including SQL injection, remote code execution, resource injection, command injection, XML external entity, XSS, and more. | Dec 2018 | |
| PVS-Studio | C, C++, C#, Java | Program Verification Systems | PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms. | Jul 2019 | |
| pylint | Python | free | Checks for errors and looks for bad code smells. | Feb 2014 | |
| Qualitychecker | VB6, Java, C# | Qualitychecker | static analysis tool | Sep 2007 | |
| RATS (Rough Auditing Tool for Security) | C, C++, Perl, PHP, Python | free | potential security risks | Sep 2013 | |
| Reshift | Java | free | Command Injection, XPath Injection, SQL Injection, Cryptography weaknesses, etc. Software as a Service (SaaS) with ability to integrate into GitHub and other code repositories. | Nov 2018 | |
| Resource Standard Metrics (RSM) | C, C++, C#, and Java | M Squared Technologies | Scan for 50 readability or portability problems or questionable constructs, e.g. different number of "new" and "delete" key words or an assignment operator (=) in a conditional (if). | Apr 2011 | |
| RIPS | Java, PHP | free and RIPS Tech | Language-specific analysis to detect complex security vulnerabilities, code quality issues and misconfigurations listed in PCI DSS, OWASP Top 10, ASVS, SANS 25, CWE. Integrate into CI/CD, IDE, build, bug tracker and other tools. | May 2019 | |
| Roslyn Security Guard | C# | free | SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords, etc. It will find vulnerabilities and in some cases suggest automated fixes. | Nov 2016 | |
| Semgrep | Go, Java, JavaScript, JSON, Python | free and r2c | Lightweight static analysis tool for enforcing code standards, finding runtime errors, logic bugs, security vulnerabilities, etc. Developers can use a large registry of rules or write custom rules. | Nov 2020 | |
| Smatch | C | free | simple scripts look for problems in simplified representation of code. primarily for Linux kernel code | Apr 2006 | |
| Snyk Code | Java, JavaScript, TypeScript, Python, Frameworks | free and Snyk Limited | Real time semantic code analysis based on machine learning. Hard coded secrets, coding issues such as dead code, type inference, division-by-zero, null dereference, data flow issues, API misuse, race conditions, type mismatches, etc. Integration into IDE, Git, CI/CD. | Jul 2021 | |
| SonarQube | Java, C#, PHP, Python, JavaScript, TypeScript, Kotlin, Ruby, Go, Scala, HTML, CSS, XML, VB.NET, Flex. Paid versions support additional languages: C, C++, Swift, Objective-C, T-SQL, PL/SQL, Apex, COBOL, ABAP, RPG, PL/I | free and SonarSource | Finds vulnerabilities, bugs and code smells. Continuous inspection. Clean as you code. Tracks code complexity, unit test coverage and duplication. | Nov 2019 | |
| SPARK tool set | SPARK (Ada subset) | AdaCode | ambiguous constructs, data- and information-flow errors, any property expressible in first-order logic (Examiner, Simplifier, and SPADE) | Nov 2017 | |
| Sparrow SASTSaaS | C/C++, Java, JSP, JavaScript, C#, ASP(.NET), Objective-C, PHP, VB.NET, VBScript, HTML, SQL, XML | Sparrow | OWASP Top 10, SANS 25, CWE, CERT vulnerabilities, MISRA, efficient and effective issue management based on machine learning technology Software as a Service | Oct 2020 | |
| Splint | C | free | security vulnerabilities and coding mistakes. with annotations, it performs stronger checks | 2005 | |
| SpotBugs | Java | free | A successor to FindBugs. Checks for more than 400 bug patterns, including XSS, HTTP response splitting, path traversal, hardcoded password, Null dereference, etc. | Mar 2019 | |
| Static Reviewer | C#, Vb.NET, VB6, ASP, ASPX, Java, JSP, JavaScript, TypeScript, eScript, Svelte, APEX, Java Server Faces, Ruby, Python, R, GO, Kotlin, Clojure, Groovy, Flex, ActionScript, PowerShell, Rust, LUA, Auto-IT, HTML5, XML, XPath, C, C++, PHP, SCALA, Objective-C, Objective-C++, SWIFT, IBM Streams Processing Language, Shell, BPMN, BPEL, UiPath, SAIL, COBOL, JCL, RPG, PL/I, ABAP, SAP-HANA, PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL, ANSI SQL, IBM DB2, IBM Informix, SAP Sybase, HP Vertica, MySQL, FireBird, PostGreSQL, SQLite, MongoDB, HQL | Security Reviewer | Provides security checks in compliance with OWASP, CWE, CVE, CVSS, MISRA, CERT. Available as a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries | May 2020 | |
| TBmisra Testbed | C, C++, Java, Ada, Assembler | LDRA | The TBsecure module for LDRA Testbed comes with the Carnegie Mellon Software Engineering Institute (SEI) CERT C secure coding standard. TBsecure identifies concerns such as buffer overflow, out-of-bounds array access, dangling pointers, double-free, and dereferencing null pointer. Other modules handle High Integrity C++, HIS, IPA/SEC C, JSF++ AV, MISRA C/C++, and Netrino C. | 2017 | |
| TrustInSoft Analyzer | C and C++ | TrustInSoft | Exhaustive detection of coding errors and their associated security vulnerabilities. This encompasses a sound undefined behavior detection (out-of-bounds array accesses, null-pointer dereferences, dangling pointers usage, divide-by-zeros, buffer overflows, uninitialized memory accesses, use-after-free, strict aliasing violations, signed overflows, invalid pointer arithmetic, invalid accesses to memory mapped regions, access to invalid references and iterators, invalid static_casts, etc.), data flow and control flow verification as well as full functional verification of formal specifications. All versions of C up to 18 and C++ up to 20 are supported. A MISRA C checker is bundled with TrustInSoft Analyzer. | Jan 2023 | |
| UNO | C | free | uninitialized variables, null-pointers, and out-of-bounds array indexing and "allows for the specification and checking of a broad range of user-defined properties". aims for a very low false alarm rate. | Oct 2007 | |
| Vet | Go | free | Checks for suspicious constructs, such Printf format string inconsistencies, unreachable code, etc. | Mar 2019 | |
| WAP | PHP | free | Finds or checks for: SQL Injection (SQLI) / Cross-site scripting (XSS) / Remote File Inclusion (RFI) / Local File Inclusion (LFI) / Directory Traversal or Path Traversal (DT/PT) / Source Code Disclosure (SCD) / OS Command Injection (OSCI) / PHP Code Injection | Jan 2016 | |
| Xanitizer | Java, Scala, JavaScript, TypeScript, JSP, JSF, Angular | RIGS IT GmbH | More than 100 vulnerability types, including SQL injection, XPATH injection, cross-site scripting (XSS), XML external entities (XXE), use of vulnerable libraries, privacy leaks, hard-coded credentials, unsecured cookies, weak cryptography, resource leaks, path traversal, URL redirection | Jul 2020 | |
| xg++ | C | unk | kernel and device driver vulnerabilities in Linux and OpenBSD through range checking, etc. | Feb 2005 | |
| Yasca | Java, C/C++, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, etc. | free | a "glorified grep" and aggregator of other tools, including: FindBugs, PMD, JLint, JavaScript Lint, PHPLint, CppCheck, ClamAV, RATS, and Pixy. "It is designed to be very flexible and easy to extend. ... writing a new rule is as easy as coming up with a regular expression" | Mar 2020 |
Other Lists
- Github list of static analysis tools by programming language. Includes static analysis for config files, HTML, LaTeX, etc.
- The Spin site hosts a list of commercial and research Static Source Code Analysis Tools for C and has links to other tools and lists.
- Flawfinder site has links to other tools.
- Wikipedia has a List of tools for static code analysis covering all kinds of analysis.
- Kompar is a searchable catalog of software analyzers documenting seven categories of tool capabilities.
Created March 23, 2021, Updated March 19, 2025