Source Code Security Analyzers

Share
Facebook
Linkedin
Twitter
Email

[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework |

Publications | Tool Survey | Resources]

For our purposes, a source code security analyzer

1. examines source code to

2. detect and report weaknesses that can lead to security vulnerabilities.

They are one of the last lines of defense to eliminate software vulnerabilities during
development or after deployment. A Source Code Security Analysis Tool Functional
Specification is available.

Byte Code Scanners and Binary Code Scanners have similarities, but work at lower levels.

Some Instances 
DISCLAIMER: Certain trade names and company products are mentioned in the text or
identified. In no case does such identification imply recommendation or endorsement by
the National Institute of Standards and Technology (NIST), nor does it imply that the
products are necessarily the best available for the purpose.

By selecting almost any of these links, you will be leaving NIST webspace. We provide these
links because they may have information of interest to you. No inferences should be drawn
because some sites are referenced, or not, from this page. There may be other web sites that
are more appropriate for your purpose. NIST does not necessarily endorse the views
expressed, or concur with the assertions presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on these sites.

Please contact us if you think something should be included. If it has all the characteristics of
the tool, techniques, etc., we will be happy to add it. You can contact us at samate(at)nist

Tool Language(s) Avail. CCR

Finds or Checks for       updated      
ABASH
String expansion errors, option insertion errors, and other Mar
Bash free  
weaknesses that may lead to security vulnerabilities. 2012
ApexSec Security
Console
PL/SQL(Oracle Apex) Recx
SQL Injection, Cross-Site Scripting, Access Control and Configuration Mar
 
issues within an Apex application  2010
AppScan
C, C++, Java, JSP, ASP.NET, C#, Perl, JavaScript, PHP, Python, etc. HCL Software
coding errors, security vulnerabilities, design flaws, policy violations and
  2019
offers remediation
AppSonar
C/C++, C#, Java, Javascript, NodeJS, PHP, Kotlin, Golang, Python, Perl, Ruby,
CyberTest
Objective-C, Swift, SAP ABAP
Code Execution (RCE, ACE and more), Injection (SQL, XML, LOG and
more), Cross-Site Scripting (Reflected and Stored), Buffer Over-read/Over-
run/overflow, Security Misconfiguration, Sensitive Data Exposure, Insufficient
Oct
  Cryptography, Insecure Communication, Broken Access Control, Broken
2021
Authentication, Hard Coded Passwords, Incorrect Function Usage, Path
Traversal Attacks, File Manipulation, Memory Leaks, Deadlocks, Race
Conditions, etc. Also analyzes Windows executables.
Astrée
C AbsInt
Sound runtime error analyzer finds code defects and security
vulnerabilities, e.g., out-of-bounds array indexing, null-pointer
Mar
  dereferences, dangling pointers, divide-by-zeros, buffer overflows, data
2018
races. Also checks coding guidelines like MISRA C/C++, SEI CERT C,
CWE, and ISO/IEC TS 17961:2013.
AttackFlow
Java, C# AttackFlow
Authorization, authentication, session management, cryptographic issues, June
 
input validation, code quality, configuration, and other issues 2017
Bearer
C#, Go, Java, Javascript, PHP, Python, Ruby, VB.NET Bearer
Map sensitive data flows and identify data security risks such as Dec
 
unauthorized data flow, missing encryption, unauthorized access, and more. 2021
BOON
integer range analysis determines if an array can be indexed Feb
C free  
outside its bounds 2005
Brakeman
Ruby on Rails free
 and Brakeman
Cross site scripting (XSS), SQL injection, Command injection,
Unsafe file access, Unsafe mass assignment, Remote code June
 
execution, Cross site request forgery (CSRF), Authentication, File 2017
access, Open redirects, Session manipulation, etc.
CAST Application
Intelligence
Platform (AIP)
ABAP, .NET, ASP.NET, VB.NET, C#, .NET Frameworks, LINQ to Objects, LINQ to CAST
DataSets, C and C++, Visual C, IBM DB2 SQC/SQC++, Cobol ANSI 85, JCL z/OS,
IMS/DB, CICS, Java JDK, Java Server Faces, JSP, Struts Framework, Hibernate, JPA,
EJB, Spring IoC, WSDL, CDI, JavaScript, HTML, XHTML, ASP, Microsoft VB,
IBM DB2, Oracle PL/SQL, Postgress, MS SQL
SQL Injection, Cross Site Scripting (XSS), Input Validation, Insecure
May
  Cryptographic Storage, Information Leakage and Improper Error
2017
Handling, Data Access, API Abuse, Encapsulation
C/C++test®
C, C++
Parasoft
  defects such as memory leaks, buffer issues, security issues and arithmetic
Dec
issues, plus SQL injection, cross-site scripting, exposure of sensitive data
dotTEST™ 2013
and other potential issues
C#, VB.NET, MC++
Jtest®
Java
CxSAST
Java, JavaScript, PHP, C#, VB.NET, VB6, ASP.NET, C/C++, Apex, Ruby, Perl,
Checkmarx
Objective-C, Python, Groovy, HTML5, Swift, APEX, J2SE, J2EE
All OWASP Top 10 and SANS 25 vulnerabilities and compliance with
PCI-DSS, HIPAA, and MISRA requirements along with custom queries, Mar
 
all with a low rate of false-positives and easy to integrate throughout the 2016
SDLC.
Clang Static
Analyzer
C, Objective- Resports dead stores, memory leaks, null pointer deref, and Aug
free  
C more. Uses source annotations like "nonnull". 2010
Closure
Compiler
Removes dead code, checks syntax, variable references and types Feb
JavaScript free  
and warns about common JavaScript pitfalls. 2014
Codiga
Apex, C, C++, C#, Dart, Docker, Go, Java, Javascript, Kotlin, PHP, Python, free
Ruby, Scala, shellscript, Terraform, Typescript, YAML and Codiga
Checks for security, safety, design, performance, documentation issues in
the code. Combines and tunes output from multiple static analysis tools. Dec
 
Checks that the developer uses best practices, computes code quality 2021
measures and technical debt. Integrates into CI/CD and code repositories.
CodeCenter
C ICS
incorrect pointer values, illegal array indices, bad function arguments, type Apr
 
mismatches, and uninitialized variables 2011
CodePeer
Ada AdaCore
detects uninitialized data, pointer
misuse, buffer overflow, numeric
  overflow, division by zero, dead Apr 2010
code, concurrency faults (race
conditions), unused variables, etc.
 XSS, SQL
Injection,
ASP.NET, C#, PHP, Java, JSP, Armorize Aug
CodeSecure   Command
VB.NET, others Technologies 2012
Injection, tainted
data flow, etc.
CodeSonar
C/C++, C#, Java, Android GrammaTech
Data Races, Deadlocks, Thread Starvation, Buffer Overruns, Buffer
Overflow, Leaks, Null Pointer Dereferences, Divide By Zero, Use After Free,
Free of Non-Heap Variables, Uninitialized Variables, Returns of Pointers to
Oct
  Local, Returns of Pointers to Free, Free of Null Pointer, Unreachable Code,
2021
Try-locks that Cannot Succeed, Misuse of Memory Allocation, Misuse of
Memory Copying, Misuse of Libraries, Command Injection, User-Defined
Bug Classes, Runtime Error, Double Free, etc.
Coverity
C, C++, Java, C# Synopsys
flaws and security vulnerabilities - reduces false positives while Apr
 
minimizing the likelihood of false negatives.  2011
Cppcheck
pointer to a variable that goes out of scope,
bounds, classes (missing constructors, unused
private functions, etc.), exception safety, memory
C, C+
free   leaks, invalid STL usage, overlapping data in Feb 2010
+
sprintf, division by zero, null pointer dereference,
unused struct member, passing parameter by value,
etc. Aims for no false positives.
User-defined types
extend the C type
system with type Feb
CQual C free  
qualifiers to 2005
perform a taint
analysis.
Csur
C free   cryptographic protocol-related vulnerabilities Apr 2006
DeepSource
Go, Python, Java, JavaScript, Ruby, SQL, Shell, Docker,
free and DeepSource Corp.
Terraform
All OWASP Top 10 security issues, hard-coded credentials, bug
risks, anti-patterns, performance, and other issue categories. June
 
Integrates with GitHub and other code repositories. Integrates reports 2021
from test coverage tools.
DefenseCode
ThunderScan
C#, Java, PHP, ASP, VB.Net, Visual Basic, VBScript, Python, Ruby,
Javascript, Node.js, Android Java, IOS Objective C, PL/SQL, C, C++,
DefenseCode
ColdFusion, Typescript, Groovy, Cobol, Go, SAP/ABAP, ASP.Net, SQL and
HTML
  More than 60 vulnerability types, including SQL injection, XPATH December
 injection, file disclosure, mail relay, page inclusion, dangerous
configuration settings, code injection, dangerous file extensions, shell
command execution, dangerous functions, cross site scripting, 2020
arbitrary server connection, weak encryption, HTTP response
splitting, information leaks, LDAP injection.
DerScanner
Java, Java for Android, JavaScript, JSP, TypeScript, VBScript, Scala, HTML5,
PHP, Python, Groovy, Kotlin, Go, Ruby, С#, C/C++, Objective-C, Swift, ABAP, DerSecur
Apex, Solidity, Vyper, PL/SQL, T-SQL, Visual Basic 6.0, Delphi, COBOL, 1С, Ltd.
VBA, ASP.NET, Perl, Rust
DerScanner is a static app code analyzer capable of identifying vulnerabilities
and backdoors (undocumented features). Its distinctive feature is the ability to June
 
analyze not only source code, but also executables (i.e. binaries). Aims to detect 2020
almost all known defects leading to vulnerabilities.
Dlint
Python free   Checks for poor coding practices and security issues. Nov 2019
DoubleCheck
C, C++ Green Hills Software
like buffer overflows, resource leaks, invalid pointer references, and Jul
 
violations of ... MISRA 2007
Enlightn PHP, Laravel free
SQL injection, mass assignment, Cross-site scripting (XSS), Cookie and
session security, CSRF, unrestricted file uploads, directory traversal, open
Jan
  redirection, command injection, object injection, host injection, eval code
2021
injection, extract variable hijacking, security headers, app debug mode,
encryption, authentication and vulnerable dependency scanning
FindBugs
Java, Groovy, Null pointer deferences, synchronization errors, vulnerabilities to
free  
Scala malicious code, etc. It can be used to analyse any JVM languages
.  The last version of FindBugs was released in March 2015 (In contrast, SpotBugs is Mar
being actively developed). 2019
FindSecurityBugs
Java, Groovy, Scala, Android apps free   Extends SpotBugs
 with more security detectors (Command Injection, XPath Injection, SQL/HQL Mar
Injection, Cryptography weakness and many more).  2019
Flawfinder
uses of risky functions, buffer overflow (strcpy()), format string
([v][f]printf()), race conditions (access(), chown(), and mktemp()),
C/C++ free   2005
shell metacharacters (exec()), and poor random numbers
(random()).
Fortify Static
Code Analyzer
ASP.NET, C, C++, C# and other .NET languages, Swift, COBOL, Java, Micro
JavaScript/AJAX, JSP, PHP, PL/SQL, Python, T-SQL, XML, and others Focus
  security vulnerabilities, tainted data flow, etc. Mar 2019
Frama-C
C Free   Runtime errors (exhaustive checking of buffer overflows, Feb
 null/dangling pointer usage, division by zero, uninitialized
memory access, use-after-free, and others); checks
information flow via taint analysis; enables specification and 2022
proof of functional security properties. Checkers operate both
via static analysis and runtime monitoring.
GitGuardian for
Internal
Repositories
Monitoring
Language agnostic, binary files excluded Free and GitGuardian
Hardcoded credentials. Automates secrets detection and remediation Nov
 
throughout the software development lifecycle. 2021
GitLab
SAST
.NET, C/C++, Go, Java, JavaScript, PHP, Python, Ruby, Scala GitLab
Dangerous attributes in classes, unsafe code that can lead to code execution, Nov
 
injection attacks, etc. 2020
Gosec
Checks for security problems including hard-coded credentials, path Mar
Go free  
traversal, insecure random number, etc. 2019
Helix
QAC
C and C++ Perforce
Focused on the tightly regulated and safety-critical industries, such as
automotive, aerospace and defense, rail, and medical devices.
Organizations that need to meet rigorous compliance requirements and
verify compliance with coding standards — such as MISRA and
AUTOSAR — and functional safety standards, such as ISO 26262 have
implemented the tool. Certified for functional safety compliance by TÜV- Jan
 
SÜD, including IEC 61508, ISO 26262, EN 50128, IEC 60880, and IEC 2022
62304. In addition, it is certified in ISO 9001 and TickIT plus Foundation
Level. Supports most compilers and integrates with IDEs, version control
systems, and continuous integration build servers. Developers can
prioritize coding issues based on severity, use filters, suppressions, and
create custom rules.
HP Code
Advisor
(cadvise)
C, C++ HP
many lint-like checks plus memory leak, potential null pointer dereference, Dec
 
tainted data for file paths, and many others 2013
Jlint
Java free   bugs, inconsistencies, and synchronization problems Aug 2012
Klocwork
C, C++, C#, Java, JavaScript, Python Perforce
  Identifies software security, quality, and reliability issues helping to enforce Jan
compliance with standards. Checks for security vulnerability types: SQL 2022
Injection, Tainted Data, Buffer Overflow, Vulnerable Coding Practices, and
 many more. Checks for bugs, quality issues, code smells: Null Pointer
Dereferences/Exceptions, Memory/Resource Leaks, Uncaught Exceptions, and
many more. Built for enterprise DevOps and DevSecOps, integrates with large
complex environments, a wide range of developer tools, and provides control,
collaboration, and reporting. Differential Analysis engine provides instant
analysis results and integrates seamlessly with CI/CD pipelines to automate
Continuous Compliance.
Kiuwan
Abap, ActionScript, ASP.NET, C/C++, C#, Cobol, HTML, Java, Javascript, JSP,
Kiuwan
Objective-C, PHP, PowerScript, Python, RPG, VB6, VB.net
OWASP member, CWE certified, full compliance with SANS 25, PCI-
DSS, HIPAA, WASC, MISRA-C, BIZEC, ISO 25000, ISO 9126, CERT-
C, CERT-J. Over 4500 rules including: SQL injection, encryption and
randomness, file handling, information leaks, number handling, control Sep
 
flow management, initialization and shutdown, design error, system 2017
element isolation, error handling and fault isolation, pointer and reference
handling, misconfiguration, permissions, privileges and access controls,
buffer handling
ObjectCenter
C/C++ ICS
"run-time and static error detection ... more than 250 types of errors, Apr
 
including more than 80 run-time errors ... inter-module inconsistencies" 2011
Offensive360
C#, Java, PHP, Javascript, TypeScript, React, Angular, Docker, XML, HTML,
Offensive360
YAML, DLL
Detect security vulnerabilities, perform malware analysis, license July
 
analysis, etc. Does not require building the source code. 2021
Oversecured
Java, Kotlin, Swift Oversecured Inc
Enterprise vulnerability scanner for Android and iOS
apps. Integrates into the development process to help app
  Dec 2021
owners and developers secure each new version of the mobile
app.
Oracle Apr
Parfait C/C++ ?   
proprietary 2013
PHP-
Sat
PHP free   static analysis tool, XSS, etc. description
Sep 2006
Pixy
static analysis tool, only detect XSS and SQL Injection. Jun
PHP free  
No home page? 2014
PLSQLScanner
2008
PLSQL Red-Database-Security
  SQL Injection, hardcoded passwords, Cross-site scripting (XSS), etc. Jun 2008
PMD
Java free   questionable constructs, dead code, duplicate code June 2018
Polyspace Bug Finder
C, C++ MathWorks
defects such as static and dynamic memory problems (null pointer,
memory leaks, buffer issues…) as well as data flow, concurrency, Oct
 
security (cryptography, tainted data) issues. The product also checks for 2018
coding rule violations, and computes code metrics.
Polyspace
Code Prover
Ada, C, C++ MathWorks
proves the absence of run-time errors, detects dead-
  code. The product also checks for coding rule Oct 2018
violations, and computes code metrics.
PREfix and Microsoft Feb
C, C++   
PREfast proprietary 2006
Progpilot
Security vulnerabilities, including XSS, SQL injection,
free (MIT Oct
PHP   code injection, etc. Sources, sinks, sanitizers, and
License) 2018
validators are user-configurable.
PT Application
Inspector
.Net, C#, PHP, Java, JS, C, Mobile languages Positive Technologies
Security vulnerabilities, focusing on web application vulnerabilities,
Dec
  including SQL injection, remote code execution, resource injection,
2018
command injection, XML external entity, XSS, and more.
PVS-
Studio
C, C++, C#, Java Program Verification Systems
PVS-Studio is a tool for detecting bugs and security weaknesses in the source
code of programs, written in C, C++, C# and Java. It works under 64-bit systems July
 
in Windows, Linux and macOS environments, and can analyze source code 2019
intended for 32-bit, 64-bit and embedded ARM platforms.
pylint
Python free   Checks for errors and looks for bad code smells. Feb 2014
Qualitychecker
VB6, Java, C# Qualitychecker   static analysis tool Sep 2007
RATS
 (Rough Auditing Tool for C, C++, Perl, PHP, potential security Sep
free  
Security) Python risks 2013
Reshift
Command Injection, XPath Injection, SQL Injection,
Nov
Java free   Cryptography weaknesses, etc. Software as a Service (SaaS) with
2018
ability to integrate into GitHub and other code repositories.
Resource
Standard
Metrics
 (RSM) C, C++, C#, and Java M Squared Technologies
 Scan for 50 readability or portability problems or questionable constructs, e.g.
Apr
  different number of "new" and "delete" key words or an assignment operator (=)
2011
in a conditional (if).
RIPS
Java, PHP free
 and RIPS Tech
Language-specific analysis to detect complex security vulnerabilities,
code quality issues and misconfigurations listed in PCI DSS, OWASP May
 
Top 10, ASVS, SANS 25, CWE. Integrate into CI/CD, IDE, build, bug 2019
tracker and other tools.
Roslyn
Security
Guard
SQL injection, cross-site scripting (XSS), CSRF, cryptography
Nov
C# free   weaknesses, hardcoded passwords, etc. It will find vulnerabilities and
2016
in some cases suggest automated fixes.
Semgrep
Go, Java, JavaScript, JSON, Python free and r2c
Lightweight static analysis tool for enforcing code standards, finding runtime
Nov
  errors, logic bugs, security vulnerabilities, etc. Developers can use a large
2020
registry of rules or write custom rules.
Smatch
simple scripts look for problems in simplified representation of code. Apr
C free  
primarily for Linux kernel code 2006
Snyk
Code
Java, JavaScript, TypeScript, Python, Frameworks free and Snyk Limited
Real time semantic code analysis based on machine learning. Hard coded
secrets, coding issues such as dead code, type inference, division-by-zero, July
 
null dereference, data flow issues, API misuse, race conditions, type 2021
mismatches, etc. Integration into IDE, Git, CI/CD.
SonarQube
Java, C#, PHP, Python, JavaScript, TypeScript, Kotlin, Ruby, Go, Scala,
HTML, CSS, XML, VB.NET, Flex. Paid versions support additional free
languages: C, C++, Swift, Objective-C, T-SQL, PL/SQL, Apex, COBOL, and SonarSource
ABAP, RPG, PL/I
Finds vulnerabilities, bugs and code smells. Continuous inspection. Clean Nov
 
as you code. Tracks code complexity, unit test coverage and duplication. 2019
SPARK
tool set
SPARK (Ada subset) AdaCode
ambiguous constructs, data- and information-flow errors, any property Nov
 
expressible in first-order logic (Examiner, Simplifier, and SPADE) 2017
Sparrow
SAST
C/C++, Java, JSP, JavaScript, C#, ASP(.NET), Objective-C, PHP, VB.NET,
SaaS Sparrow
VBScript, HTML, SQL, XML
  OWASP Top 10, SANS 25, CWE, CERT vulnerabilities, MISRA, efficient and Oct
 effective issue management based on machine learning technology Software as
2020
a Service
Splint
security vulnerabilities and coding mistakes. with annotations, it
C free   2005
performs stronger checks
SpotBugs
Java free   A successor to FindBugs
. Checks for more than 400 bug patterns, including XSS, HTTP response splitting, Mar
path traversal, hardcoded password, Null dereference, etc. 2019
Static Reviewer
C#, Vb.NET, VB6, ASP, ASPX, Java, JSP, JavaScript, TypeScript, eScript,
Svelte, APEX, Java Server Faces, Ruby, Python, R, GO, Kotlin, Clojure, Groovy,
Flex, ActionScript, PowerShell, Rust, LUA, Auto-IT, HTML5, XML, XPath, C,
C++, PHP, SCALA, Objective-C, Objective-C++, SWIFT, IBM Streams Security
Processing Language, Shell, BPMN, BPEL, UiPath, SAIL, COBOL, JCL, RPG, Reviewer
PL/I, ABAP, SAP-HANA, PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL,
ANSI SQL, IBM DB2, IBM Informix, SAP Sybase, HP Vertica, MySQL,
FireBird, PostGreSQL, SQLite, MongoDB, HQL
Provides security checks in compliance with OWASP, CWE, CVE, CVSS,
May
  MISRA, CERT. Available as a module for Software Composition Analysis
2020
(SCA) to find vulnerabilities in open source and third party libraries
TBmisra
 
Testbed
C, C++, Java, Ada, Assembler LDRA
The TBsecure module for LDRA Testbed comes with the Carnegie Mellon
Software Engineering Institute (SEI) CERT C secure coding standard. TBsecure
  identifies concerns such as buffer overflow, out-of-bounds array access, dangling 2017
pointers, double-free, and dereferencing null pointer. Other modules handle High
Intergrity C++, HIS, IPA/SEC C, JSF++ AV, MISRA C/C++, and Netrino C.
UNO
uninitialized variables, null-pointers, and out-of-bounds array indexing and
Oct
C free   "allows for the specification and checking of a broad range of user-defined
2007
properties". aims for a very low false alarm rate. 
Vet
Checks for suspicious constructs, such Printf format string Mar
Go free  
inconsistencies, unreachable code, etc. 2019
WAP
Finds or checks for: SQL Injection (SQLI) / Cross-site scripting
(XSS) / Remote File Inclusion (RFI) / Local File Inclusion (LFI) /
Jan
PHP free   Directory Traversal or Path Traversal (DT/PT) / Source Code
2016
Disclosure (SCD) / OS Command Injection (OSCI) / PHP Code
Injection
Xanitizer
Java, Scala, JavaScript, TypeScript, JSP, JSF, Angular RIGS IT GmbH
  More than 100 vulnerability types, including SQL injection, XPATH injection, July
cross-site scripting (XSS), XML external entities (XXE), use of vulnerable 2020
libraries, privacy leaks, hard-coded credentials, unsecured cookies, weak
 cryptography, resource leaks, path traversal, URL redirection
xg++
kernel and device driver vulnerabilities in Linux and OpenBSD through range
C unk  
checking
, etc. Feb 2005
Yasca
a "glorified grep" and aggregator of other tools, including:
Java, C/C++,
FindBugs, PMD, JLint, JavaScript Lint, PHPLint,
JavaScript, ASP, Mar
free   CppCheck, ClamAV, RATS, and Pixy. "It is designed to
ColdFusion, PHP, 2020
be very flexible and easy to extend. ... writing a new rule
COBOL, .NET, etc.
is as easy as coming up with a regular expression"

Other Lists 
 Github list of static analysis tools

  by programming language. Includes static analysis for config files, HTML, LaTeX, etc.
 The Spin site hosts a list of commercial and research Static Source Code Analysis Tools
for C
  and has links to other tools and lists.
 Flawfinder
  site has links to other tools.
 Wikipedia has a List of tools for static code analysis
  covering all kinds of analysis.
 Kompar is a searchable catalog of software analyzers

  documenting seven categories of tool capabilities.

Software research and Software testing