Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.


Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities

Hi-Quality Open source, works on 17+ languages

Python specific SAST tool

Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgrep

Find and fix problems in your JavaScript code

NodeJs SAST scanner with GUI

The SpotBugs plugin for security audits of Java web applications

Detect security issues in code review with Static Application Security Testing (SAST)

Inspects source code for security problems by scanning the Go AST.

Checks Python dependencies for known security vulnerabilities .

Note: Semgrep is free CLI tool, however some rulesets ( are having various licences, some can be free to use and can be commercial.

OWASP curated list of SAST tools :

Install semgrep (SonarQube alternative):

semgrep - static source code analyzer which works on over 25 languages

Install: python3 -m pip install semgrep

Add to path in zsh: path+=('/home/kali/.local/bin') export PATH

Analyze code: semgrep --config auto badcode.php

Last updated