Best Static Application Security Testing (SAST) Software

Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code. These tools are frequently used by companies with continuous delivery practices to identify flaws prior to deployment. SAST tools provide vulnerability information and remediation suggestions for development teams to resolve. There is relation and overlap between SAST tools and static code analysis software, but SAST products are more focused on security testing. Static code analysis products, on the other hand, combine a number of analytical practices, test management, and team collaboration features.

To qualify for inclusion in the Static Application Security Testing (SAST) category, a product must:

  • Test applications to identify vulnerabilities
  • Not execute code during testing, or have the ability to run static tests
  • Provide information on relative vulnerabilities and exploits
G2 Grid® for Static Application Security Testing (SAST)
High Performers
Market Presence
Star Rating

Static Application Security Testing (SAST) reviews by real, verified users. Find unbiased ratings on user satisfaction, features, and price based on the most reviews available anywhere.

Compare Static Application Security Testing (SAST) Software

G2 takes pride in showing unbiased ratings on user satisfaction. G2 does not allow for paid placement in any of our ratings.
Results: 37
Filter Results
Filter by:
Sort by
Star Rating
Sort By:
Results: 37

    Coverity static analysis by Synopsys helps development and security teams find and fix defects and security flaws in code as it’s being written. Coverity is highly accurate, supports thousands of developers, and quickly analyzes large projects exceeding 100 million lines of code, helping your teams build secure, high-quality software faster.

    Checkmarx is the Software Exposure Platform for the enterprise. Over 1,400 organizations around the globe rely on Checkmarx to measure and manage software risk at the speed of DevOps. Checkmarx serves five of the world’s top 10 software vendors, four of the top American banks, and many government organizations and Fortune 500 enterprises, including SAP, Samsung, and Learn more at or follow us on Twitter: @checkmarx.

    IBM Security AppScan Standard protects against web application attacks and expensive data breaches by automating application security vulnerability testing. Avoid security vulnerabilities Use automated dynamic security testing and advanced static analysis – “black box” and “white box” – to detect developing security issues. Empower accurate scanning Scan websites to identify embedded vulnerabilities. Simplify interpretation of scan results with scan-specific explanations of each issue. Get qu

    AttackFlow is a solution helps find security and quality weaknesses in software by analyzing the code.

    Appknox is one of the enterprise level security assessment product that helps businesses and enterprises to detect, manage and fix security issues. Its been used by some of the top enterprises to secure more than 500 mobile apps on regular basis. Appknox is listed in one of the Gartner's top mobile app security testing vendors list. Working with more than 100 organizations globally Appknox has been focusing on niche area of mobile app security.

    Open-source container vulnerability analysis service.

    bugScout is a next-gen SAST platform for detecting vulnerabilities in application and website source codes, designed by ethical hackers and cybersecurity analysts coming out of Deloitte’s European cyberthreat SOC competency center. Today, source code security audits are snapshots that define the status at a point in time and deliver reports that are already out of date by the time they are finished because the development process is continuous. With its fast performance and scalability, bugScout

    CodeSonar, GrammaTech's flagship static analysis SAST tool, identifies bugs that can result in system crashes, unexpected behavior, and security breaches.

    WhiteHat Security is a leader and pioneer in the field of application security. We combine technology and human intelligence to deliver solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and web sites.

    The latest Minded Security Labs project regards JavaScript Security. We have released a tool called BlueClosure which helps security testers to analyze and discover Client Side security issues.

    Code Dx Enterprise takes the results of all of your scans, processes them, and gives you a short list with no duplicates. It even points out which vulnerabilities were found by more than one tool, and provides an easy interface to prioritize each one based on severity. This can cut your testing time down, and get your application secured without falling behind schedule.

    CodePeer is an Ada source code analyzer that detects run-time and logic errors. It assesses potential bugs before program execution, serving as an automated peer reviewer, helping to find errors easily at any stage of the development life-cycle. CodePeer helps you improve the quality of your code and makes it easier for you to perform safety and/or security analysis.

    Businesses can focus on what matters to them, remaining highly agile, without putting the organization at risk.

    Secure Your Code from the Very Beginning

    Devknox is a security plugin for the Android Studio IDE that detects and corrects security issues as you write code, real-time. Simply install the plugin and let Devknox detect, suggest and remediate all your security threats while you code and build your app.

    It's stunning. bDefend creates powerful behavior fingerprints and makes new malware signatures for all to use.We defend against viruses that others can't detect.

    You know that uploading unknown code leads to unknown consequences. So why risk it? bDetect takes a quick look and identifies what code is Safe, Suspicious, or Malicious.

    Jtest helps development teams produce better code, test it more efficiently, and consistently monitor progress toward quality goals.

    Provides an end-to-end Application Security platform to bring you objective data so you can make informed decisions regarding the security, risk, cost, activity, quality, maintainability, efficiency and dependencies of your applications.

    Fortify Static Code Analyzer is designed to identify security vulnerabilities in the user's source code early in the software development lifecycle and provides best practices so developers can code more securely.

    Puma Scan runs as engineers write code. Real-time results. Puma Scan Editions include Server, Azure DevOps and End User.

    Focused on development teams, reshift is source code analysis tool that automates finding vulnerabilities in source code, and reduces the efforts to re-mediate them.

    RIPS is the code analysis solution dedicated to the PHP language. It supports all major PHP frameworks, SDLC integration, relevant industry standards and can be deployed as a self-hosted software or used as a cloud service.

    Security Testing works with you to create your customized security solution after assessing your current security measures .

    Latest Static Application Security Testing (SAST) Articles