Aug 12, 19 4:27 pm

Was this post helpful?

Top SAST Tools for Developers

Aug 12, 2019
| by:
Sherif Koussa

Most Popular SAST Tools for Developers

Finding coding errors early in the development life cycle can save organizations both time and money, as well as make applications more secure. Catching bugs early in development saves the time and money of catching them during post production and makes sure the code is written securely as it's created. One way to catch code flaws sooner is through the use of Static Application Security Testing, or SAST, tools.

SAST tools offer organizations a number of benefits. They scale well. They can be run on software written in a variety of languages. They can be run repeatedly, too, such as during overnight builds. They can be easily integrated into Integrated Development Environments. They can also identify common errors, such as buffer overflows, XSS problems and SQL injection flaws. What's more, after they find an error, they can make life easier for developers by identifying source files, line numbers, and even subsections of lines containing errors.

However, the tools have their weaknesses, too, which is why they should be used in conjunction with other error-finding solutions. SAST tools aren't adept, for example, at finding authentication problems, access control issues, configuration flaws, and bad crypto. In addition, some of them produce too many false positives and have difficulty analyzing code that can't be compiled. It can also be challenging to determine if a security issue is an actual vulnerability. There are a number of SAST tools—both commercial and open source —available to organizations. Here are five of the most popular in each category.


Commercial SAST Tools

Fortify Static Code Analyzer

This SAST tool made by Micro Focus can be harder than some other solutions to integrate into your software development lifecycle, although it does support IDE, build tools, code repositories, and bug tracking. Once it's set up, though, both developers and security practitioners will like its performance. It produces understandable and traceable vulnerability information, supports 25 languages, and makes it easy to clean out false positives manually. What's more, it can provide scan information fast, eliminating the need for partial or incremental scans. On the down side, some users have complained online about difficulty troubleshooting problems with Fortify's support people and out-of-date documentation.


In addition to SAST, Veracode's solution supports Dynamic Application Security Testing and Software Composition Analysis, as well as manual penetration testing. Better yet, an application's status across all testing can be seen through a single dashboard. The app is designed for developers, and includes an API for customizing the software. When it finds a vulnerability, it provides tips for fixing it. If you're a Jira user, Veracode will open tickets with the appropriate development teams when it finds flaws in your code, which can also be helpful in generating valuable statistical information about your applications. According to Veracode, developers working in DevSecOps environments fix errors 11 times faster with its solution than other developers.

Coverity Scan

Coverity SAST is part of the Synopsys Software Integrity Platform portfolio, which also includes technologies acquired from Cigital, Codiscope, and Black Duck Software. The portfolio covers the gamut of testing technologies—DAST, SCA, and Interactive Application Security Testing. Synopsys released an upgrade of Coverity earlier this year with enhanced capabilities that allow the software to scan for more vulnerability types across a variety of programming languages. It can also perform static code analysis without compiling code for languages that are interpretive in nature or where the code can be modeled fairly accurately without compilation. In addition, it can now do framework analysis and advanced JavaScript template analysis, which can spot XSS vulnerabilities in HTML dynamically generated by those templates.

Checkmarx CxSAST

CxSAST is part of Checkmarx's Software Exposure Platform, which is designed to address software security risk throughout the software development lifecycle. It can identify hundreds of security vulnerabilities in both custom and open source components and supports more than 25 coding and scripting languages. However, some users have complained that better mobile language support is needed, especially support of Xamarin. Another user sore point is the cost of the software's professional services. Most common plugins work well with the software and its integrations are solid, especially with build servers like Jenkins. It can also perform scans without building code.


IBM recently sold AppScan to HCL. The software lets an organization implement a scalable security testing strategy that can pinpoint and remediate application vulnerabilities in every phase of the development lifecycle. It can test web, mobile, and open source software and provides management and reporting tools for multi-user, multi-app deployments. Deployment options are flexible and includes on-premise, cloud, and hybrid offerings. Users have praised the software for its low rate of false positives and its ability to counter application attacks, as well as protect data. It has been criticized for having an "unintuitive and hulking interface" and a support library that's vast but difficult to navigate.

Open Source SAST Tools

Reshift Security

Reshift is free for open source and paid for all private projects. Reshift is a developer-first security tool built to work within existing developer environments, while not slowing their pipeline. It integrates with Github, Bitbucket, and Gitlab where it can simply sync projects and run scans on every build. In addition, it allows for custom security policy settings for the number of critical, moderate, and high issues where it will fail the build if the threshold is exceeded.

With the focus being a tool built for developers, Reshift also offers "automated fixes" where suggested fixes are listed and developers can simply accept to create a pull request and remediate with little friction. With "remediation assistance" it allows development teams who aren't security experts to learn about each vulnerability with overviews, real world impacts, resources, and suggested fixes. Reshift currently supports Java and JavaScript. It is known for being a seamless tool that developers can use and don't have to interact with it to remediate issues.


This software is a free vulnerability scanner designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development. Users have praised the program for the speed and accuracy of its scans and for providing remediation information that's easy for developers to understand.


Development teams working with Node.js can use NodeJsScan to scan their code. The software has a command line interface for easy integration with DevSecOps CI/CD pipelines. It produces results in JSON and supports a number programing languages, including Java, C++, C#, VB, PHP, and PL/SQL. A configuration file is available for each language which can be modified for customized searches. Overviews of files, as well as an entire codebase, can be visualized through stats and pie charts. The program can detect buffer overflows and flaws in Java code that may contain OWASP security risks.


This open source project sponsored by the University of Maryland is designed to catch bugs in Java code through static analysis. It has been awhile since the application was updated. The latest version is 3.0.1, released in March 2015. Scans classify the bugs and vulnerabilities they find into four rankings: scariest, scary, troubling, and of concern. The program can find defects in 15 categories, but reports can be customized so only a subset of the categories are reported on. Functionality can be expanded through plug-ins. Findbugs can be a powerful tool if configured correctly. It can also be run as part of a separate continuous automatic code review tool like Sputnik, which can give Findbugs' reports better visibility.


Engineers at Mozilla, Wikipedia, Facebook, Twitter, Yahoo, RedHat and other companies use JSHint to catch defects in JavaScript programs. The open source software is designed to help developers write complex programs without worrying about typos and language errors. It can scan a codebase and report on common mistakes and potential bugs, such as syntax errors, implicit type conversions. and leaking variables, as well as others. The tool was created in 2011 as a fork in the JSLint project by developers who felt JSLint was getting "too opinionated" and did not allow enough customization options.


This web-based tool can find security vulnerabilities in applications written in C, C#, PHP, Java, Ruby, ASP, and JavaScript and is available for Linux, OX, BSD, and MacOS. The software doesn't have to be installed on a machine. After downloading it, compiling it using "make" will get it running. In addition, although it's a web app, Apache isn't needed to run it. After starting CodeWarrior, it will open your web browser and ask you to choose what source code you want scanned. The program has a reputation for producing low rates of false positives.

Now available: the short, free guide to implementing security at each stage of company growth, including guide to SAST, DAST, and other integrated analyses:


Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Aug 9, 2023 by Cate Callegari

Worried Penetration Testing Will Derail Your Sprint Cycle?

Read more

Was this post helpful?

Jul 17, 2023 by Shimon Brathwaite

7 Agile Software Development Habits that Produce Security Concerns

Read more

Was this post helpful?

Jun 15, 2023 by Omkar Hiremath

Comparison of STRIDE, DREAD & PASTA

Read more

Was this post helpful?


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured