Skip to main content

Static Code Analysis

Static Code Analysis

Developing secure code is a difficult task.  The days of human, manual "Peer Review" as the only point in the development life cycle to identify code defects are over.  As the industry shifts to adopting tools that detect flaws, static code analysis (SCA) has become an important part of creating quality code.

Static code analysis quickly and automatically checks the code to discover security flaws and issues that might be missed by people.  It functions by reviewing the code without actually executing the code,  This can be done at a source code level (Source Code Analysis - SCA) or binary level (Binary Code Analysis, BCA).

Additonal Information

Cppcheck is a static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect. The goal is to de ...


PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++, and C#. It works in Windows and Linux environment. PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-St ...

Justin - presidentbeef

Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

Brakeman - Rails Security Scanner

AppScan delivers application security testing tools to ensure your business, and your customers, are not vulnerable to attacks. Detect application vulnerabilities before they become a problem, remediate them and ensure compliance with regulations. Four pr ...

HCL AppScan

Veracode Static Analysis provides automated feedback to developers in the IDE and CI/CD pipeline, conducts a full Policy Scan before deployment, and gives clear guidance on how to find, prioritise, and remediate issues. Veracode Static Analysis supports ...

Veracode Static Analysis

Veracode Discovery helps manage your web attack surface by discovering and inventorying all public-facing applications - inside and outside the IP range - providing a workflow to scan sites for vulnerabilities. Discovery can be used alone to simply di ...

Veracode Web Application Scanning
Synopsys, Inc.

Synopsys Static Analysis (Coverity) is a fast, accurate and scalable static analysis (SAST) solution that helps development and security teams address security and quality defects early in the software development lifecycle. Track and manage risks ac ...

VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code. It has a few features that should make it useful. In addition to perfo ...



PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, XML, XSL. Additionally it includes CPD, the copy-paste-detector. CPD find ...


CodeNarc analyzes Groovy code for defects, bad practices, inconsistencies, style issues and more. A flexible framework for rules, rulesets and custom rules means it's easy to configure CodeNarc to fit into your project.


Checkmarx SAST (CxSAST) is an enterprise-grade static analysis solution used to identify hundreds of security vulnerabilities in custom code. It is used by development, DevOps, and security teams to scan source code early in the SDLC, identify vulnerabili ...

CheckMarx Static Application Security Testing
GrammaTech Inc

CodeSonar is GrammaTech's flagship static analysis software, designed for zero-tolerance defect environments. CodeSonar analyzes source code and binaries, identifying programming bugs that can result in system crashes, memory corruption, leaks, data races ...

FrontEndART Ltd.

SourceMeter is an innovative tool built for the precise static source code analysis of C/C++, Java, C#, Python, and RPG projects. This tool makes it possible to find the weak spots of a system under development from the source code only, without the need ...

Snyk provides security products across the cloud native application stack, securing all the components of the modern cloud native application in a single platform.   Open Source Security Automatically find, prioritise and fix vulnerabilities in yo ...

Facebook Open Source

Infer is a static analysis tool - if you give Infer some Java or C/C++/Objective-C code it produces a list of potential bugs. Anyone can use Infer to intercept critical bugs before they have shipped to users, and help prevent crashes or poor performance.


Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.