Tools
SAST
Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities
Hi-Quality Open source, works on 17+ languages
Python specific SAST tool
Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgrep
Find and fix problems in your JavaScript code
NodeJs SAST scanner with GUI
The SpotBugs plugin for security audits of Java web applications
Detect security issues in code review with Static Application Security Testing (SAST)
Inspects source code for security problems by scanning the Go AST.
Checks Python dependencies for known security vulnerabilities .
Note: Semgrep is free CLI tool, however some rulesets (https://semgrep.dev/r) are having various licences, some can be free to use and can be commercial.
OWASP curated list of SAST tools : https://owasp.org/www-community/Source_Code_Analysis_Tools
Install semgrep (SonarQube alternative):
semgrep - static source code analyzer which works on over 25 languages
Install: python3 -m pip install semgrep
Add to path in zsh: path+=('/home/kali/.local/bin') export PATH
Analyze code: semgrep --config auto badcode.php
Last updated