Herramientas automatizadas que escanean el código fuente para identificar posibles vulnerabilidades y fallos de seguridad durante el desarrollo.
Infer is a static analysis toolset for Java, C, C++, and Objective-C designed to detect memory leaks, null dereferences, and resource bugs. It functions as a multi-language bug finder that identifies race conditions, deadlocks, and memory safety issues by translating source code into a common intermediate representation for analysis. The project distinguishes itself through an inter-procedural data flow analyzer that tracks movement between sources and sinks to detect tainted flows and generate data flow graphs. It also includes a framework for verifying temporal properties and reachability u
Infer is a static analysis toolset that detects memory safety issues, taint flows, and concurrency bugs across Java, C, C++, and Objective‑C using inter‑procedural data flow analysis, directly matching the need for a SAST tool with multi‑language support and data flow capabilities.
Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform co
Bearer is a static application security testing (SAST) tool that detects security vulnerabilities, hard-coded secrets, and privacy risks through data flow tracing, and it supports differential scanning for pull requests and fingerprint-based false positive suppression — covering the core SAST features this search requires.
Semgrep is a static analysis security testing tool designed to identify vulnerabilities and logic errors by matching source code against declarative patterns. It functions as an automated scanner that integrates into development workflows to detect insecure code patterns and enforce coding standards before deployment. The engine utilizes a language-agnostic intermediate representation and a modular parser architecture to normalize diverse programming languages into a unified format. This allows for consistent rule execution across different codebases, enabling users to perform custom structur
Semgrep is a static application security testing (SAST) tool that scans source code with customizable declarative rules, supports many languages (C, Go, Java, JavaScript, Python, Ruby, TypeScript), and integrates into CI/CD pipelines, making it a comprehensive solution for automatically detecting security vulnerabilities.
SonarQube is a static code analysis platform used to scan source code and infrastructure scripts across multiple languages. It detects bugs, security vulnerabilities, and maintainability issues to ensure software meets reliability and security standards. The platform implements automated quality gates for continuous integration and delivery pipelines, verifying code against defined rules during merge or pull requests. It also integrates directly with code editors to provide real-time analysis results and quick-fix guidance during development. The system covers broad functional areas includin
SonarQube is a leading static analysis platform that covers multiple languages, automatically detects security vulnerabilities, integrates into CI/CD pipelines, and offers customizable rule sets and data flow analysis, directly matching the SAST tool requirement.
Credo is a static analysis tool and linter for Elixir. It functions as a code quality analyzer that scans source code to identify stylistic inconsistencies, common mistakes, and potential security vulnerabilities. The tool provides a customizable framework for defining and testing specialized rules to enforce project-specific coding standards. It identifies complex code fragments and duplication to highlight opportunities for refactoring and simplification. Its capabilities cover automated code reviews, the enforcement of Elixir coding standards, and real-time developer feedback through edit
Credo is a static analysis tool and linter for Elixir that can automatically detect potential security vulnerabilities alongside code quality issues, but it is limited to Elixir and focused more on general code quality than dedicated security scanning, so it covers customizable rules and CI-friendly checks but lacks multi-language support and advanced data-flow analysis.
Brakeman is a static analysis security tool and scanner specifically designed for Ruby on Rails source code. It identifies common security vulnerabilities, such as injection and cross-site scripting, by analyzing the application codebase without executing the application. The tool functions as a security auditor that detects mass assignment risks and template vulnerabilities. It evaluates the final output of rendered views and identifies unrestricted assignment patterns that could allow unauthorized modification of model attributes. The system provides vulnerability management through the us
Brakeman is a static analysis security scanner built specifically for Ruby on Rails, identifying vulnerabilities such as injection and XSS through source code analysis without execution; it fits the SAST category squarely but is limited to one language and omits multi‑language support and explicit data flow analysis.
This project is an AI-powered static analysis tool and automated vulnerability scanner designed to detect security flaws such as injection and authentication bypasses. It uses large language models to perform semantic reasoning across multiple programming languages, identifying vulnerabilities within code changes. The tool operates as a GitHub Action that integrates into continuous integration pipelines to analyze pull request diffs. It focuses on modified lines of code to target new risks and reports findings by posting automated comments directly to the pull request. Analysis is directed b
This AI-powered static analysis tool detects security vulnerabilities like injection and authentication bypasses across multiple languages and integrates into CI via GitHub Actions, making it a genuine SAST tool; while it covers most requested features (multi-language, rules, low false positives, CI integration, customizable policies), its diff-focused, LLM-based approach differs from traditional code property graph analysis.
gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks. The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues. Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptograph
gosec is a static analysis security tool that scans Go source code for vulnerabilities using AST inspection, mapping findings to CWE, so it squarely fits the SAST category but is limited to Go, which means it lacks the multi-language support you likely need.
Ruff is a high-performance static analysis and code formatting tool designed for Python. Built in Rust, it functions as a comprehensive engine that scans source code to detect programming errors, security vulnerabilities, and deviations from established coding standards. By parsing source code into a structured tree representation, it provides both automated linting and style enforcement across entire projects. The tool distinguishes itself through its speed and deep integration into the development lifecycle. It utilizes parallelized file processing to maximize throughput on large codebases
Ruff is a high-performance Python SAST and linter that detects security vulnerabilities and integrates into CI/CD pipelines, but it only supports Python and lacks code property graph analysis — a solid choice for Python projects, not a multi-language solution.
Bandit is a static analysis security testing tool and vulnerability detection scanner for Python source code. It functions as a security-focused linter and static analyzer that identifies common vulnerabilities and architectural flaws without executing the program. The tool utilizes an abstract syntax tree to analyze code patterns and identifies risky function calls or insecure configurations. It employs a plugin-based rule engine to decouple scanning logic from individual security checks and supports configuration-driven filtering to exclude specific files or ignore certain warnings. The sy
Bandit is a dedicated SAST tool for Python source code that uses AST analysis and a plugin-based rule engine to detect security vulnerabilities, making it a genuine match for the search, though its single-language focus and lack of code property graph/data flow analysis keep it from being a comprehensive multi-language solution.
Slither is a static analysis framework that detects security vulnerabilities in Solidity and Vyper smart contracts using data-flow and property-based analysis; it fits the SAST tool category but is limited to blockchain languages, so it does not provide broad multi-language support.
This project is a static analysis tool and linter designed to improve the quality, reliability, and portability of shell scripts. By performing deep structural analysis, it identifies common programming pitfalls, syntax errors, and security vulnerabilities before scripts are executed. It functions as an automated code reviewer that enforces best practices and helps developers maintain consistent, robust code across different operating environments. The tool distinguishes itself through its dialect-aware grammar resolution, which adapts its parsing logic based on the specific shell interpreter
ShellCheck is a static analysis tool that automatically finds security vulnerabilities in shell scripts through deep structural analysis, matching your SAST requirement for vulnerability detection, though it is limited to shell scripting rather than providing multi-language support.
nodejsscan is a static analysis security tool and vulnerability detection engine designed to scan Node.js source code for security flaws and common coding vulnerabilities. It functions as a static application security testing tool that analyzes code without executing the program. The tool operates as a security linter that can be integrated into continuous integration pipelines to block insecure code from merging into main branches. It automates the auditing process through rule-based detection and pattern-based static analysis. The project provides capabilities for vulnerability alert autom
nodejsscan is a static analysis security testing (SAST) tool purpose-built for Node.js, so it squarely fits the category but lacks multi-language support and advanced data flow analysis, which may limit its usefulness if you need broader language coverage.