Developing secure code is a difficult task. The days of human, manual "Peer Review" as the only point in the development life cycle to identify code defects are over. As the industry shifts to adopting tools that detect flaws, static code analysis (SCA) has become an important part of creating quality code.
Static code analysis quickly and automatically checks the code to discover security flaws and issues that might be missed by people. It functions by reviewing the code without actually executing the code, This can be done at a source code level (Source Code Analysis - SCA) or binary level (Binary Code Analysis, BCA).
Additonal Information
- The Wikipedia Static Program Analysis page
- The OWASP Static Code Analysis page
- The Web Application Security Consortium has published a paper on Static Analysis Technologies Evaluation Criteria
- CheckMarx has published The 5 Key Benefits of Source Code Analysis
Pylint is a source code, bug and quality checker for the Python programming language. It follows the style recommended by PEP 8, the Python style guide.
There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecu ...
Klocwork static code analysis and SAST tool for C, C++, C#, and Java identifies software security, quality, and reliability issues helping to enforce compliance with standards. Built for enterprise DevOps and DevSecOps, Klocwork scales to projects of any ...
The Axivion Suite gives you the full range of Axivion analysis tools in one box. The Axivion Suite includes static code analysis, architecture analysis and effective tools for the detection of code smells. The Axivion Suite runs on Windows, Linux and Mac ...
Code Dx helps enterprises rapidly release more secure software, mitgates the risk of a breach, while helping you be faster and more agile. Orchestrate tools Centralize and harmonize application security testing across all development pipelines in ...
Astrée is a static code analyzer that proves the absence of runtime errors and invalid concurrent behavior in safety-critical software written or generated in C. Astrée primarily targets embedded applications as found in aeronautics, earth transpor ...
ECLAIR is a general platform for software verification. Applications range from coding rule validation, to automatic generation of testcases, to the proof of absence of run-time errors or generation of counterexamples, and to the specification of code mat ...
PC-Lint Plus is a comprehensive static analysis solution for C and C++. Comply with Safety Standards Enforce compliance with industry coding standards including MISRA, AUTOSTAR, and CERT C, customise detection of individual guidelines and easily s ...
Bandit is a tool designed to find common security issues in Python code. By processing files, building an AST and running appropriate plugins against the AST nodes, Bandit is able to generate a report once it has finished scanning code.
SpotBugs is a program which uses static analysis to look for bugs in Java code. SpotBugs is capable of checking for more than 400 bug patterns and can be used standalone or through many integrations including: Ant, Maven, Gradel, Eclipse.
CodePeer is an Ada source code analyzer that detects run-time and logic errors. It assesses potential bugs before program execution, serving as an automated peer reviewer, helping to find errors easily at any stage of the development life-cycle. CodePeer ...
Continuous Inspection - SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality systematically. Detec ...
Automatically scan your code to identify and remediate vulnerabilities. Compliant with the most stringent security standards, such as OWASP and CWE, Kiuwan Code Security covers all important languages and integrates with leading DevOps tools. Make I ...
Deliver C and C++ software that’s robust, predictable, and secure. Manage risk and costs by building better software. Static analysis and unit testing are critical for application quality, security, and safety, and the cornerstone of any connected-applic ...
Complement your existing Visual Studio tools with deep static analysis and advanced coverage. An automated, non-invasive solution that scans the application codebase to identify issues before they become production problems, Parasoft dotTEST integrates i ...
Parasoft Jtest enables you to accelerate Java software development while minimizing risks introduced into the code, by providing comprehensive analysis, guidance, and tools to get the job done. Jtest integrates with Parasoft DTP for sophisticated reportin ...
Polyspace®static code analysis products use formal methods to prove the absence of critical run-time errors under all possible control flows and data flows. They include checkers for coding rules, security vulnerabilities, code metrics, and hundreds of ad ...
Snappy Tick Source Edition(SAST) is a source code review tool, it helps to identify the Vulnerability during static code review. Consider an in-line auditing approaches will identify the largest amount of most significant security issues in your applicati ...
OCLint is a static code analysis tool for improving quality and reducing defects by inspecting C, C++ and Objective-C code and looking for potential problems like: Possible bugs - empty if/else/try/catch/finally statements Unused code - unused local v ...
Flawfinder is a simple program that examines C/C++ source code and reports possible security weaknesses (“flaws”) sorted by risk level. It’s very useful for quickly finding and removing at least some potential security problems before a program is widely ...