Tools
SAST
Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.
| Name | Description |
|---|---|
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities | |
Hi-Quality Open source, works on 17+ languages | |
Python specific SAST tool | |
Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgrep | |
Find and fix problems in your JavaScript code | |
NodeJs SAST scanner with GUI | |
The SpotBugs plugin for security audits of Java web applications | |
Detect security issues in code review with Static Application Security Testing (SAST) | |
Inspects source code for security problems by scanning the Go AST. | |
Checks Python dependencies for known security vulnerabilities . |
Note: Semgrep is free CLI tool, however some rulesets (https://semgrep.dev/r) are having various licences, some can be free to use and can be commercial.
OWASP curated list of SAST tools : https://owasp.org/www-community/Source_Code_Analysis_Tools
Install semgrep (SonarQube alternative):
semgrep - static source code analyzer which works on over 25 languages
Install: python3 -m pip install semgrep
Add to path in zsh: path+=('/home/kali/.local/bin') export PATH
Analyze code: semgrep --config auto badcode.php
Last updated