Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Tool Integration Frameworks

[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]

Tool integration frameworks capture the analysis results of multiple tools, and normalize those results in a common representation that allows the framework user to effectively use a single "meta-tool".

Tool integration is a technique to take advantage of diversity in automated assurance tool capabilities, both within the same class of tools (e.g. source code analyzer tools) as well as the integration of different classes of tools (e.g. source code analyzers and web application scanners).

Some Instances

DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.

Please contact us if you think something should be included. If it has all the characteristics of the tool, techniques, etc., we will be happy to add it. You can contact us at samate(at)nist(dot)gov.

  • Code Dx "is a tool to visualize multiple [Java source code analysis] security tool findings in a single unified interface, putting them into proper context for effective triage and mitigation."
  • TOIF "is a powerful open source vulnerability detection platform. It allows users to analyze systems, for the purpose of performing defect sightings on a project."
  • Yasca "is a source code analysis tool [that] could best be described as a "glorified grep script" plus an aggregator of other open-source tools. Yascan scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHPH, Cobol, .NET, and other languages. Yasca can integrate easily with other tools including: FindBugs, PMD, JLint, JavaScript Lint, PHPLint, CppCheck, ClamAV, RATS and Pixy."
Created March 23, 2021, Updated May 17, 2021