Static Application Security Testing (SAST) Tools

Static Application Security Testing tools are designed to analyze source code and/or compiled versions of code to help find security flaws. It provides feedback to the developer on issues they might be introducing into the code during code development itself.

Below are some of the popular static application security testing tools.

Bandit

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

Docs: https://bandit.readthedocs.io/en/latest/

Usage:

bandit -r ~/your_repos/project

License: Apache 2.0.

Brakeman

Brakeman is a free vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

Docs: https://brakemanscanner.org/docs/

Usage:

brakeman your_rails_app

License: Brakeman Public Use License

Dawnscanner

dawnscanner is a source code scanner designed to review your ruby code for security issues.

dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but all its features are unleashed when dealing with web applications source code. dawnscanner is able to scan major MVC (Model View Controller) frameworks, out of the box:

  • Ruby on Rails
  • Sinatra
  • Padrino

Usage:

dawn ~/src/hacking/railsberry2013

License: MIT

SpotBugs

SpotBugs is a tool for static analysis to look for bugs in Java code. It looks for instances of “bug patterns” — code instances that are likely to be errors.

Usage:

spotbugs -textui -jvmArgs "-Duser.language=ja" myApp.jar

License: GNU GPL

Flawfinder

Flawfinder is a program that examines C/C++ source code and reports possible security weaknesses (“flaws”) sorted by risk level. It’s very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public.

Docs: https://dwheeler.com/flawfinder/#documentation

License: GPL 2.0+

Graudit

graudit is a simple script and signature sets that allows you to find potential security flaws in source code in multiple languages using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Usage:

graudit [opts] /path/to/scan

License: GPL 3.0

Security Code Scan

Security Code Scan analyzes .NET and .NET Core projects in a background (IntelliSense) or during a build. It detects various security vulnerability patterns: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE), etc.

License: LGPL 3.0

phpcs-security-audit

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Usage:

phpcs --extensions=php,inc,lib,module,info --standard=example_base_ruleset.xml /your/php/files/

License: GPL 3.0

retire.js

Retire.js helps you detect the use of JS-library versions with known vulnerabilities.

Usage (command line scanner):

npm install -g retire
retire

License: Apache 2.0.

Disclaimer: Coocoor does not endorse tools listed in this page. We have made effort to provide this information as accurately as possible. If you think that this information is incomplete or incorrect, please feel free to contact us.