Star Rating
Languages Supported
Pricing Options

Static Application Security Testing (SAST) reviews by real, verified users. Find unbiased ratings on user satisfaction, features, and price based on the most reviews available anywhere.

Best Static Application Security Testing (SAST) Software

    Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code. These tools are frequently used by companies with continuous delivery practices to identify flaws prior to deployment. SAST tools provide vulnerability information and remediation suggestions for development teams to resolve. There is relation and overlap between SAST tools and static code analysis software, but SAST products are more focused on security testing. Static code analysis products, on the other hand, combine a number of analytical practices, test management, and team collaboration features.

    SAST vs DAST — Learn the difference

    To qualify for inclusion in the Static Application Security Testing (SAST) category, a product must:

    Test applications to identify vulnerabilities
    Not execute code during testing, or have the ability to run static tests
    Provide information on relative vulnerabilities and exploits

    Top 8 Static Application Security Testing (SAST) Software

    • GitLab
    • Coverity
    • Appknox
    • HCL AppScan
    • CodeScan
    • Checkmarx
    • Kiuwan Code Security & Insights
    • Veracode Application Security Platform

    Compare Static Application Security Testing (SAST) Software

    G2 takes pride in showing unbiased reviews on user satisfaction in our ratings and reports. We do not allow paid placements in any of our ratings, rankings, or reports. Learn about our scoring methodologies.
    Sort By:
    Results: 43
    View Grid®
    Adv. Filters
    (290)4.4 out of 5

    GitLab is a complete open-source DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate and build software. From idea to production, GitLab helps teams improve cycle time from weeks to minutes, reduce development process costs and decrease time to market while increasing developer productivity.

    (39)4.2 out of 5

    Coverity static analysis by Synopsys helps development and security teams find and fix defects and security flaws in code as it’s being written. Coverity is highly accurate, supports thousands of developers, and quickly analyzes large projects exceeding 100 million lines of code, helping your teams build secure, high-quality software faster.

    (38)4.5 out of 5
    Optimized for quick response

    Appknox is an on-demand mobile application security platform that helps businesses detect and fix security vulnerabilities using an Automated Security Testing suite. We have been successfully reducing delivery timelines, manpower costs & mitigating security threats for Global Banks and Enterprises in 10 + countries.

    (21)3.8 out of 5

    HCL AppScan Standard protects against web application attacks and expensive data breaches by automating application security vulnerability testing. Avoid security vulnerabilities Use automated dynamic security testing and advanced static analysis – “black box” and “white box” – to detect developing security issues. Empower accurate scanning Scan websites to identify embedded vulnerabilities. Simplify interpretation of scan results with scan-specific explanations of each issue. Get quick remed

    (29)4.6 out of 5
    Optimized for quick response
    Entry Level Price:$250 a month

    CodeScan is the leading end-to-end static code analysis solution. Our solutions are Lightning ready and are used exclusively for Salesforce, Salesforce teams, and DevOps team. We have the largest Salesforce ruleset, more than 21B line checks, and service over 150 customers around the world. Our analysis tools empower all levels of Salesforce DevOps teams with the ability to develop faster, better, cleaner, and more efficient code, while offering continuous inspection of code security and quali

    (25)4.1 out of 5

    Checkmarx is the Software Exposure Platform for the enterprise. Over 1,400 organizations around the globe rely on Checkmarx to measure and manage software risk at the speed of DevOps. Checkmarx serves five of the world’s top 10 software vendors, four of the top American banks, and many government organizations and Fortune 500 enterprises, including SAP, Samsung, and Learn more at or follow us on Twitter: @checkmarx.

    (22)4.4 out of 5
    Entry Level Price:From $599

    Build secure applications from the start with Kiuwan Code Security, a SAST solution. Scan your application source code to detect and eliminate vulnerabilities using over 4000 constantly-updated rules based on 25 security standards, including CWE/SANS 25, OWASP Top 10, PCI DSS, HIPPA, and more. Kiuwan Code Security covers major programming languages and integrates with leading IDEs and DevOps tools. Advanced analytics provide remediation action plans for product managers and security teams with "

    Veracode helps companies that innovate through software deliver secure code on time. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline,empower developers to fix security defects, and scales your program through best practices to achieve your desired outcomes. Veracode covers your all your AppSec needs in one s

    (7)4.1 out of 5

    AttackFlow is a solution helps find security and quality weaknesses in software by analyzing the code.

    (5)4.5 out of 5

    Open-source container vulnerability analysis service.

    (5)4.4 out of 5

    Jtest helps development teams produce better code, test it more efficiently, and consistently monitor progress toward quality goals.

    Fortify Static Code Analyzer is designed to identify security vulnerabilities in the user's source code early in the software development lifecycle and provides best practices so developers can code more securely.

    (2)3.5 out of 5

    Platform for detecting security vulnerabilities in applications by analyzing the source code. bugScout® is the most complete and versatile SAST platform on the market for detecting application security vulnerabilities through source code analysis. Designed by ethical hackers and reputable security auditors, bugScout® follows international security rules and standards and is at the forefront of cybercrime techniques to keep customer applications safe and secure. It is multiplatform, offered On

    (3)5.0 out of 5

    PT Application Inspector™ (PT AI™) is a comprehensive source code analysis tool that offers protection for web applications of any scale. Its holistic approach combines the advantages of static, dynamic, and interactive analysis to maintain application security throughout every stage of development—from the very first line of code to the go-live.

    (1)4.0 out of 5

    CodePeer is an Ada source code analyzer that detects run-time and logic errors. It assesses potential bugs before program execution, serving as an automated peer reviewer, helping to find errors easily at any stage of the development life-cycle. CodePeer helps you improve the quality of your code and makes it easier for you to perform safety and/or security analysis.

    (2)4.0 out of 5

    CodeSonar, GrammaTech's flagship static analysis SAST tool, identifies bugs that can result in system crashes, unexpected behavior, and security breaches.

    (1)4.5 out of 5

    Prioritize remediation based on AI algorithm calculated cyber score, and get continuous reports on your security posture and security team performance.

    (1)5.0 out of 5

    WhiteHat Security is a leader and pioneer in the field of application security. We combine technology and human intelligence to deliver solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and web sites.

    (1)4.5 out of 5

    VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code. It has a few features that should make it useful. In addition to performing some more complex checks it also has a config file for each language that basically allows you to add any bad functions (or other text) that you want to search for. It attempts to find phrases within comments that can indicate broken code a

    (1)5.0 out of 5
    Entry Level Price:$0

    Xanitizer is the essential tool for security auditors. It specializes in security analysis of web applications and also considers the behavior of the applied web frameworks. Xanitizer investigates the code of an application for security vulnerabilities and also checks the server configuration files for misconfigurations. Xanitizer can easily be integrated into the CI/CD process, automatically and regularly checking the application code to prevent that security vulnerabilities are introduced int

    0 ratings

    The latest Minded Security Labs project regards JavaScript Security. We have released a tool called BlueClosure which helps security testers to analyze and discover Client Side security issues.

    0 ratings

    Code Dx Enterprise takes the results of all of your scans, processes them, and gives you a short list with no duplicates. It even points out which vulnerabilities were found by more than one tool, and provides an easy interface to prioritize each one based on severity. This can cut your testing time down, and get your application secured without falling behind schedule.

    0 ratings

    CodePatrol performs powerful SAST scans on your project source code and identifies security flaws early. Powered by Claranet and Checkmarx

    0 ratings

    Businesses can focus on what matters to them, remaining highly agile, without putting the organization at risk.

    0 ratings

    RamQuest’s solutions include our fully integrated closing, escrow accounting, imaging, transaction management, esigning, and digital marketplace solutions and are available on-premise or in a hosted environment

    0 ratings

    Devknox is a security plugin for the Android Studio IDE that detects and corrects security issues as you write code, real-time. Simply install the plugin and let Devknox detect, suggest and remediate all your security threats while you code and build your app.

    Manage, measure and integrate security for the entire software lifecycle.

    0 ratings

    Puma Scan runs as engineers write code. Real-time results. Puma Scan Editions include Server, Azure DevOps and End User.

    PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms.

    0 ratings

    Focused on development teams, reshift is source code analysis tool that automates finding vulnerabilities in source code, and reduces the efforts to re-mediate them.

    Select Grid® View
    Select Company Size
    G2 Grid® for Static Application Security Testing (SAST)
    Filter Grid®
    Filter Grid®
    Select Grid® View
    Select Company Size
    Check out the G2 Grid® for the top Static Application Security Testing (SAST) Software products. G2 scores products and sellers based on reviews gathered from our user community, as well as data aggregated from online sources and social networks. Together, these scores are mapped on our proprietary G2 Grid®, which you can use to compare products, streamline the buying process, and quickly identify the best products based on the experiences of your peers.
    High Performers
    Veracode Application Security Platform
    HCL AppScan
    Kiuwan Code Security & Insights
    Market Presence