1. SonarQube
SonarQube is a widely adopted open-source platform for continuous code inspection, including SAST capabilities. It supports various programming languages and provides detailed reports to identify and remediate security vulnerabilities.
GitHub Repository: SonarQube
2. semgrep
SempGrep is an open-source static analysis tool for code security scanning and quality analysis. It is designed to identify and highlight potential security vulnerabilities, bugs, and code quality issues within source code. Semgrep is language-agnostic, so it can be used with various programming languages, including Python, JavaScript, Java, Go, and more.
GitHub Repository: semgrep
3. Brakeman
Brakeman is tailored for Ruby on Rails applications, scanning Ruby code for potential security vulnerabilities. It offers valuable insights to Ruby developers to enhance their application security.
GitHub Repository: Brakeman
4. Bandit
Bandit is an open-source SAST tool designed specifically for Python applications. It helps Python developers identify and address security issues within their codebase.
GitHub Repository: Bandit
5. FindBugs
FindBugs is an open-source SAST tool focused on Java applications. While it primarily detects bugs and coding issues, it includes security detectors for pinpointing potential vulnerabilities in Java code.
GitHub Repository: FindBugs
6. Kubesec
Kubesec is an open-source Kubernetes security scanner and analysis tool. It accepts a single Kubernetes manifest file and provides a severity score for each found vulnerability.
GitHub Repository: Kubesec
7. horusec
Horusec is an open-source tool that performs a static code analysis to identify security flaws during development. Current languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, and Nginx.
GitHub Repository: horusec
8. Bearer
Bearer is a static application security testing (SAST) tool that scans your source code and analyzes your data flows to discover, filter, and prioritize security and privacy risks.
Currently supports JavaScript, TypeScript, Ruby, and Java stacks.
GitHub Repository: bearer
9. MATE
MATE is a suite of tools for interactive program analysis focusing on hunting for bugs in C and C++ code. MATE unifies application-specific and low-level vulnerability analysis using code property graphs (CPGs), enabling the discovery of highly application-specific vulnerabilities that depend on both implementation details and the high-level semantics of target C/C++ programs.
GitHub Repository: MATE
10. CodeQL by GitHub
CodeQL is a powerful open-source SAST tool that supports many programming languages. It is now part of GitHub and offers free access to open-source projects.
GitHub Repository: CodeQL