# Best Static Application Security Testing (SAST) Software

  *By [Lauren Worth](https://research.g2.com/insights/author/lauren-worth)*

   Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code. These tools are frequently used by companies with [continuous delivery](https://www.g2.com/categories/continuous-delivery) practices to identify flaws prior to deployment. SAST tools provide vulnerability information and remediation suggestions for development teams to resolve. There is relation and overlap between SAST tools and [static code analysis](https://www.g2.com/categories/static-code-analysis) software, but SAST products are more focused on security testing. Static code analysis products, on the other hand, combine a number of analytical practices, test management, and team collaboration features.

[SAST vs DAST](https://research.g2.com/blog/sast-vs-dast) — Learn the difference

To qualify for inclusion in the Static Application Security Testing (SAST) category, a product must:

- Test applications to identify vulnerabilities
- Not execute code during testing, or have the ability to run static tests
- Provide information on relative vulnerabilities and exploits





## Category Overview

**Total Products under this Category:** 109


## Trust & Credibility Stats

**Why You Can Trust G2's Software Rankings:**

- 30 Analysts and Data Experts
- 5,100+ Authentic Reviews
- 109+ Products
- Unbiased Rankings

G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category.


## Best Static Application Security Testing (SAST) Software At A Glance

- **Leader:** [GitHub](https://www.g2.com/products/github/reviews)
- **Highest Performer:** [DryRun Security](https://www.g2.com/products/dryrun-security/reviews)
- **Easiest to Use:** [GitGuardian](https://www.g2.com/products/gitguardian/reviews)
- **Top Trending:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews)
- **Best Free Software:** [GitHub](https://www.g2.com/products/github/reviews)


---

**Sponsored**

### Endor Labs

Endor Labs helps you build and ship secure software fast, whether it's written by humans and AI. While conventional code scanning tools drown teams in false positives, Endor Labs zeroes in on real risks, empowering developers without slowing them down. Trusted by OpenAI, Snowflake, Peloton, Robinhood, Dropbox, Rubrik, and more, Endor Labs is transforming AppSec. • 92% less alerts: Unify code scanning (SAST, SCA, container, secrets, malware, AI models) and automate security code reviews with AI. Pinpoint real vulnerabilities with function-level reachability, filtering out unreachable risks and letting developers fix what matters as they code. • 6X faster fixes: Skip the guesswork. Endor Labs guides developers towards safe OSS upgrades, and backports fixes for hard-to-update libraries. • Guardrails for AI coding assistants: Endor Labs natively integrates into AI coding assistants to help them produce code securely by default. Additionally, Endor Labs has built multiple agents to review the AI and human generated code for architecture and business-logic issues. • Compliance, streamlined: FedRAMP, PCI, NIST, and SLSA compliance is simplified with artifact signing, SBOM, VEX, and more—accelerating your path to secure, compliant code. Learn more at: www.endorlabs.com/demo-request



[Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=paid_promo&secure%5Bad_slot%5D=category_product_list&secure%5Bcategory_id%5D=1520&secure%5Bmedium%5D=sponsored&secure%5Bprioritized%5D=false&secure%5Bproduct_id%5D=1317430&secure%5Bresource_id%5D=1520&secure%5Bresource_type%5D=Category&secure%5Bsource_type%5D=category_page&secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fstatic-application-security-testing-sast&secure%5Btoken%5D=a92e239bdb44e7b3795617adcace1126354d8e85237238e30a292262ac3db856&secure%5Burl%5D=https%3A%2F%2Fwww.endorlabs.com%2Fplatform&secure%5Burl_type%5D=paid_promos)

---

## Top-Rated Products (Ranked by G2 Score)
### 1. [GitHub](https://www.g2.com/products/github/reviews)
  GitHub is where the world builds software. Millions of individuals, organizations and businesses around the world use GitHub to discover, share, and contribute software. Developers at startups to Fortune 50 companies use GitHub, every step of the way.


  **Average Rating:** 4.7/5.0
  **Total Reviews:** 2,271

**User Satisfaction Scores:**

- **Test Automation:** 8.4/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.9/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.7/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.3/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [GitHub](https://www.g2.com/sellers/github)
- **Year Founded:** 2008
- **HQ Location:** San Francisco, CA
- **Twitter:** @github (2,642,101 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/1418841/ (6,106 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer, Senior Software Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 46% Small-Business, 31% Mid-Market


#### Pros & Cons

**Pros:**

- Features (123 reviews)
- Ease of Use (110 reviews)
- Team Collaboration (108 reviews)
- Collaboration (106 reviews)
- Version Control (102 reviews)

**Cons:**

- Complexity (46 reviews)
- Learning Curve (44 reviews)
- Difficulty for Beginners (42 reviews)
- Learning Difficulty (40 reviews)
- Difficult Learning (35 reviews)

### 2. [Aikido Security](https://www.g2.com/products/aikido-security/reviews)
  Aikido Security is the developer-first security platform that unifies code, cloud, protection, and attack testing in one suite of best-in-class products. Built by developers for developers, Aikido helps teams of any size ship secure software faster, automate protection, and simulate real-world attacks with AI-driven precision. The platform’s proprietary AI cuts noise by 95%, delivers one-click fixes, and saves developers 10+ hours per week. Aikido Intel proactively uncovers vulnerabilities in open source packages before disclosure, helping secure more than 50,000 organizations worldwide, including Revolut, Niantic, Visma, Montblanc, and GoCardless.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 141

**User Satisfaction Scores:**

- **Test Automation:** 8.1/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.3/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.2/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Aikido Security](https://www.g2.com/sellers/aikido-security)
- **Company Website:** https://aikido.dev
- **Year Founded:** 2022
- **HQ Location:** Ghent, Belgium
- **Twitter:** @AikidoSecurity (6,430 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/aikido-security/ (175 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** CTO, Founder
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 70% Small-Business, 18% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (78 reviews)
- Security (55 reviews)
- Features (52 reviews)
- Easy Integrations (47 reviews)
- Easy Setup (47 reviews)

**Cons:**

- Missing Features (19 reviews)
- Expensive (17 reviews)
- Limited Features (16 reviews)
- Pricing Issues (15 reviews)
- Lacking Features (14 reviews)

### 3. [GitGuardian](https://www.g2.com/products/gitguardian/reviews)
  GitGuardian is an end-to-end NHI security platform designed to help organizations strengthen their Non-Human Identity (NHI) security posture and address compliance standards and regulations. As attackers increasingly target NHIs, such as service accounts, service principals, and applications, protecting and managing these critical assets has become paramount. NHIs rely on “secrets” like API keys and certificates for authentication, and their rapid proliferation has led to significant secrets sprawl. GitGuardian’s platform is built on two core pillars: Secrets Security and NHI Governance, delivering a holistic approach to NHI security. With Secrets Security, GitGuardian aims to eliminate leaks and sprawl, detecting compromised or misused secrets across both public and internal environments. This foundation of NHI security is strengthened by monitoring for incidents, policy violations, and illegitimate use of secrets. GitGuardian offers three powerful products under its Secrets Security umbrella. GitGuardian’s Secrets Detection tackles internal secrets sprawl by identifying sensitive data in source code and developer productivity tools. The platform supports over 420 types of secrets, including API keys, private keys, and database credentials. With a robust policy engine, security teams can enforce rules across major version control systems (VCSs) like GitHub, GitLab, BitBucket, and Azure DevOps, CI/CD tools such as Jenkins, Travis CI as well as tools like Slack, Jira, container registries, and more. GitGuardian Public Monitoring scans public GitHub repositories, detecting sensitive information in both organizational and developers' public personal repos. This is crucial, as 80% of corporate secrets leaked on public GitHub stem from personal accounts. GitGuardian Honeytoken deploys decoy secrets that lure attackers looking for active secrets across your assets. Any unauthorized access attempts will trigger immediate alerts, enabling rapid detection and response during the software development lifecycle. With NHI Governance, GitGuardian offers a centralized inventory of secrets, tracking their context and usage. This enables teams to detect high-risk secrets, manage their rotation, and leverage analytics to enhance the overall NHI security posture. Together, Secrets Security and NHI Governance work symmetrically: one track focuses on detecting compromised secrets, while the other manages legitimate usages of secrets and their lifecycle. Trusted by over 600,000 developers and recognized as the top security app on GitHub Marketplace, GitGuardian is the choice of leading organizations like Snowflake, ING, BASF, and Bouygues Telecom, ensuring robust protection for their sensitive secrets.


  **Average Rating:** 4.8/5.0
  **Total Reviews:** 255

**User Satisfaction Scores:**

- **Test Automation:** 8.3/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.9/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.2/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 9.0/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [GitGuardian](https://www.g2.com/sellers/gitguardian-c1eb71ef-0ed6-4024-9679-56d9bee1fe3e)
- **Company Website:** https://www.gitguardian.com/
- **Year Founded:** 2017
- **HQ Location:** Paris, Île-de-France
- **Twitter:** @GitGuardian (6,057 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/gitguardian (176 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer, Software Developer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 84% Small-Business, 12% Mid-Market


#### Pros & Cons

**Pros:**

- Alert Notifications (18 reviews)
- Security (17 reviews)
- Vulnerability Detection (11 reviews)
- Git Integration (9 reviews)
- Accuracy (8 reviews)

**Cons:**

- False Positives (12 reviews)
- Inefficient Notifications (4 reviews)
- Limited Customization (3 reviews)
- Confusing Interface (2 reviews)
- Difficulty for Beginners (2 reviews)

### 4. [GitLab](https://www.g2.com/products/gitlab/reviews)
  GitLab is the most comprehensive AI-Powered DevSecOps platform that enables software innovation by empowering development, security, and operations teams to build better software, faster. With GitLab, teams can create, deliver, and manage code quickly and continuously instead of managing disparate tools and scripts. GitLab helps your teams across the complete DevSecOps lifecycle, from developing, securing, and deploying software. What makes us truly different? - Flexibility: Consume as a service or manage your own deployment - Cloud-Agnostic: Deploy anywhere with no vendor lock-in - No rip and replace: Scale to a platform approach at your own pace


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 873

**User Satisfaction Scores:**

- **Test Automation:** 9.2/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.5/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.8/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [GitLab Inc.](https://www.g2.com/sellers/gitlab-inc)
- **Company Website:** https://about.gitlab.com/
- **Year Founded:** 2014
- **HQ Location:** San Francisco, California
- **Twitter:** @gitlab (170,869 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/5101804/ (3,357 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer, Senior Software Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 37% Mid-Market, 37% Small-Business


#### Pros & Cons

**Pros:**

- Ease of Use (43 reviews)
- Features (42 reviews)
- CI (36 reviews)
- CD Integration (34 reviews)
- Integrations (34 reviews)

**Cons:**

- Complexity (21 reviews)
- Difficult Learning (19 reviews)
- Confusing Interface (16 reviews)
- Complex User Interface (15 reviews)
- Learning Curve (13 reviews)

### 5. [Semgrep](https://www.g2.com/products/semgrep/reviews)
  Semgrep is a modern static analysis (SAST), software composition analysis (SCA), and secrets detection platform designed for both developers and security teams. It combines fast, deterministic analysis with context-aware AI that triages findings like a senior security engineer. The AI Assistant helps reduce false positives, prioritize meaningful results, and offers clear remediation guidance. Its “Memories” feature learns from past decisions to further reduce triage noise over time. Semgrep also supports deep analysis of transitive dependencies, not just direct ones, helping teams surface and address hidden risks in their supply chain. It integrates well into modern development workflows and is easy to customize across environments.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 55

**User Satisfaction Scores:**

- **Test Automation:** 9.2/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.8/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 7.5/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Semgrep](https://www.g2.com/sellers/semgrep)
- **Company Website:** https://semgrep.dev
- **Year Founded:** 2017
- **HQ Location:** San Francisco, US
- **Twitter:** @semgrep (4,299 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/returntocorp (238 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 45% Enterprise, 42% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (16 reviews)
- Features (14 reviews)
- Vulnerability Detection (13 reviews)
- Scanning Efficiency (12 reviews)
- Security (12 reviews)

**Cons:**

- Not User-Friendly (7 reviews)
- Limited Features (6 reviews)
- Difficult Learning (5 reviews)
- Lack of Guidance (5 reviews)
- Learning Curve (5 reviews)

### 6. [OX Security](https://www.g2.com/products/ox-security/reviews)
  OX is redefining product security for the AI era. Founded by Neatsun Ziv and Lion Arzi, former Check Point executives, OX is the company behind VibeSec — the first AI-native vibe security platform. Unlike traditional “Shift Left” approaches that collapsed under AI’s speed, VibeSec makes software secure by default by preventing risks before they exist. Powered by the OX AI Data Lake and dynamic code-to-runtime context, OX Security delivers: Autonomous, embedded security that runs as fast as developers. Dynamic risk context that shrinks security backlogs before they spiral. Continuous alignment across code, cloud, APIs, and runtime. With OX, developers focus on building while security runs itself, giving enterprises complete confidence that every release ships secure. OX Security -Vendor desc (request to update): OX Security is the company behind VibeSec, an AI-native autonomous security platform built for the AI development era. Unlike traditional tools that chase vulnerabilities after code is written, VibeSec embeds dynamic security context directly into AI coding environments like Cursor and Copilot. The result: every line of code is secure by default. For the first time, security moves at the speed of AI-driven development, preventing vulnerabilities before they exist, shrinking backlogs with every commit, and making security a seamless part of the development flow.


  **Average Rating:** 4.8/5.0
  **Total Reviews:** 51

**User Satisfaction Scores:**

- **Test Automation:** 7.3/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.7/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.6/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 7.7/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [OX Security](https://www.g2.com/sellers/ox-security)
- **Year Founded:** 2021
- **HQ Location:** New York, USA
- **LinkedIn® Page:** https://www.linkedin.com/company/ox-security/ (184 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Security Engineer
  - **Top Industries:** Financial Services, Information Technology and Services
  - **Company Size:** 63% Mid-Market, 25% Enterprise


#### Pros & Cons

**Pros:**

- Features (27 reviews)
- Ease of Use (23 reviews)
- Customer Support (22 reviews)
- Integration Support (22 reviews)
- Security (22 reviews)

**Cons:**

- Integration Issues (8 reviews)
- Missing Features (8 reviews)
- Complexity (5 reviews)
- Inadequate Reporting (5 reviews)
- Limited Cloud Integration (5 reviews)

### 7. [SonarQube](https://www.g2.com/products/sonarqube/reviews)
  Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high-performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at ServiceNow, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company.


  **Average Rating:** 4.4/5.0
  **Total Reviews:** 138

**User Satisfaction Scores:**

- **Test Automation:** 6.0/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.1/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 6.8/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [SonarSource Sàrl](https://www.g2.com/sellers/sonarsource-sarl)
- **Company Website:** https://www.sonarsource.com
- **Year Founded:** 2008
- **HQ Location:** Geneva, Switzerland
- **Twitter:** @SonarSource (10,935 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (929 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** DevOps Engineer, Software Engineer
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 42% Enterprise, 39% Mid-Market


#### Pros & Cons

**Pros:**

- Code Quality (24 reviews)
- Features (20 reviews)
- Issue Identification (19 reviews)
- Ease of Use (18 reviews)
- Easy Integrations (18 reviews)

**Cons:**

- Software Bugs (12 reviews)
- Complex Configuration (10 reviews)
- False Positives (10 reviews)
- Complexity (8 reviews)
- Complex Setup (8 reviews)

### 8. [Snyk](https://www.g2.com/products/snyk/reviews)
  Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code & open source to containers & cloud infrastructure. Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix & merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find & fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free!


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 132

**User Satisfaction Scores:**

- **Test Automation:** 7.8/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.7/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 6.2/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Snyk](https://www.g2.com/sellers/snyk)
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @snyksec (20,991 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/10043614/ (1,207 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 45% Mid-Market, 35% Small-Business


#### Pros & Cons

**Pros:**

- Vulnerability Detection (3 reviews)
- Vulnerability Identification (3 reviews)
- Easy Integrations (2 reviews)
- Features (2 reviews)
- Integrations (2 reviews)

**Cons:**

- False Positives (2 reviews)
- Poor Interface Design (2 reviews)
- Scanning Issues (2 reviews)
- Software Bugs (2 reviews)
- Code Management (1 reviews)

### 9. [DryRun Security](https://www.g2.com/products/dryrun-security/reviews)
  Security leaders face a paradox: ship faster and enable agentic development while staying secure and keeping developers productive. DryRun Security resolves this by securing every pull request and repo with a high-precision, automated security engineer review right where developers and their agents build. DryRun Security is the industry’s most accurate agentic code security intelligence platform. Powered by its proprietary Contextual Security Analysis (CSA) engine, DryRun Security delivers the AI moment for security teams in an AI-native developer world. Traditional static application security testing (SAST) floods teams with alerts, misses higher-order risk, and burns time in triage. DryRun Security goes beyond SAST with contextual analysis that prioritizes what is exploitable and impactful in your codebase, then helps engineers remediate fast. Instead of “find everything and hope someone sorts it out,” DryRun Security delivers code security intelligence that is ready to act on. DryRun Security puts a security engineer directly into developer workflows. In pull requests, the Code Review Agent reviews changes in context, explains risk in plain language, and guides fixes where developers already work. In repos, the DeepScan Agent produces focused, human-grade findings for the issues that actually matter, without weeks of manual review before major milestones. The Custom Policy Agent enforces guardrails with Natural Language Code Policies, so you can standardize security and compliance requirements across teams without brittle rule sets. Codebase Insights allows leaders to ask questions of their entire codebase like "Are we exposed to this new vulnerability" and have confidence in minutes. DryRun Security also integrates with AI coding workflows, so remediation happens with the precision of a security engineer working at machine speed. Teams connect DryRun Security insights and guidance into Claude, Cursor, OpenAI Codex, and Windsurf, helping developers and their agents fix issues with contextual, security-engineered direction tied to the PR and codebase. What DryRun Security delivers (beyond SAST) • Automated secure code review in every pull request with high-signal findings and low noise • Contextual Security Analysis that catches common vulnerabilities and deeper multi-dependency and logic risks • Automated remediation guidance that helps engineers fix faster, with explanations and next steps • Secrets analysis identifies genuine hardcoded secrets and suppresses the usual false alarms • Policy enforcement in PRs using Natural Language Code Policies for consistent guardrails across repos • Codebase intelligence and reporting for AppSec visibility, prioritization, and audit-ready evidence DryRun Security supports most code environments, languages, and frameworks, including: • GitHub, GitLab • C#, Golang, Elixir, JavaScript, TypeScript, Python, Ruby, Java, Kotlin, PHP, Swift, HTML • Infrastructure as Code (Terraform, YAML) • And more


  **Average Rating:** 4.9/5.0
  **Total Reviews:** 19

**User Satisfaction Scores:**

- **Test Automation:** 10.0/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 10.0/10 (Category avg: 9.1/10)
- **Quality of Support:** 10.0/10 (Category avg: 9.2/10)


**Seller Details:**

- **Seller:** [DryRun Security](https://www.g2.com/sellers/dryrun-security)
- **Year Founded:** 2023
- **HQ Location:** Austin, US
- **LinkedIn® Page:** https://www.linkedin.com/company/dryrun-security/ (19 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer & Network Security
  - **Company Size:** 42% Small-Business, 26% Mid-Market


#### Pros & Cons

**Pros:**

- Security (13 reviews)
- Vulnerability Detection (9 reviews)
- Features (8 reviews)
- Accuracy (7 reviews)
- Easy Setup (7 reviews)

**Cons:**

- Slow Performance (2 reviews)
- Slow Speed (2 reviews)
- UX Improvement (2 reviews)
- Limited Customization (1 reviews)
- Workflow Issues (1 reviews)

### 10. [Synopsys Static Application Security Testing](https://www.g2.com/products/synopsys-static-application-security-testing/reviews)
  Synopsys offers Static Application Security Testing solutions to find and eliminate software security vulnerabilities within the code.


  **Average Rating:** 4.4/5.0
  **Total Reviews:** 10

**User Satisfaction Scores:**

- **Test Automation:** 7.3/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.3/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.0/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 6.4/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Synopsys](https://www.g2.com/sellers/synopsys-53e76f66-bf39-4c28-b0f2-97178ec8ddfd)
- **Year Founded:** 1986
- **HQ Location:** Mountain View, CA
- **Twitter:** @synopsys (24,264 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2457/ (28,121 employees on LinkedIn®)
- **Ownership:** NASDAQ:SNPS

**Reviewer Demographics:**
  - **Company Size:** 70% Mid-Market, 20% Small-Business


#### Pros & Cons

**Pros:**

- Efficiency (2 reviews)
- Integration Support (2 reviews)
- Alert Notifications (1 reviews)
- Code Quality (1 reviews)
- Customer Support (1 reviews)

**Cons:**

- Confusing Interface (1 reviews)
- Difficulty for Beginners (1 reviews)
- Expensive (1 reviews)
- Slow Performance (1 reviews)
- UX Improvement (1 reviews)

### 11. [Coverity](https://www.g2.com/products/coverity/reviews)
  Coverity® is a fast, accurate, and highly scalable static analysis (SAST) solution that helps development and security teams address security and quality defects early in the software development life cycle (SDLC), track and manage risks across the application portfolio, and ensure compliance with security and coding standards.


  **Average Rating:** 4.2/5.0
  **Total Reviews:** 55

**User Satisfaction Scores:**

- **Test Automation:** 8.5/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.1/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.6/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.8/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Synopsys](https://www.g2.com/sellers/synopsys-53e76f66-bf39-4c28-b0f2-97178ec8ddfd)
- **Year Founded:** 1986
- **HQ Location:** Mountain View, CA
- **Twitter:** @synopsys (24,264 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2457/ (28,121 employees on LinkedIn®)
- **Ownership:** NASDAQ:SNPS

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 65% Enterprise, 27% Mid-Market


### 12. [Jit](https://www.g2.com/products/jit/reviews)
  Jit is redefining application security by introducing the first Agentic AppSec Platform, seamlessly blending human expertise with AI-driven automation. Designed for modern development teams, Jit empowers organizations to proactively manage security risks across the entire software development lifecycle.​ AI-Powered Agents Jit's AI Agents, such as SERA (Security Evaluation and Remediation Agent) and COTA (Communication, Ops, and Ticketing Agent), collaborate with your teams to automate vulnerability triage, risk assessment, and remediation processes, significantly reducing manual workloads. ​ Comprehensive Security Scanning Achieve full-stack security coverage with integrated scanners for SAST, DAST, SCA, IaC, CSPM, and more. Jit's platform ensures continuous monitoring and immediate feedback on code changes, facilitating rapid identification and resolution of security issues. ​ Developer-Centric Experience With integrations into popular IDEs and CI/CD pipelines, Jit provides developers with contextual security insights directly within their workflows, promoting a shift-left approach without disrupting productivity. ​ Agentic AI for AppSec Teams Risk-Based Prioritization Utilizing the Model Context Protocol (MCP), Jit evaluates vulnerabilities in the context of runtime environments, business impact, and compliance requirements, enabling teams to focus on the most critical risks. ​ Seamless Integrations Jit integrates with a wide array of tools, including GitHub, GitLab, AWS, Azure, GCP, Jira, Slack, and more, ensuring that security processes are embedded within your existing technology stack. ​


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 43

**User Satisfaction Scores:**

- **Test Automation:** 8.7/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.3/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.2/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [jit](https://www.g2.com/sellers/jit)
- **Year Founded:** 2021
- **HQ Location:** Boston, MA
- **Twitter:** @jit_io (523 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jit/ (151 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Financial Services
  - **Company Size:** 44% Mid-Market, 42% Small-Business


#### Pros & Cons

**Pros:**

- Security (10 reviews)
- Easy Integrations (8 reviews)
- Ease of Use (7 reviews)
- Efficiency (7 reviews)
- Integration Support (7 reviews)

**Cons:**

- Integration Issues (4 reviews)
- Limited Features (4 reviews)
- Limited Integration (4 reviews)
- Poor Documentation (4 reviews)
- Complexity (3 reviews)

### 13. [OpenText Static Application Security Testing](https://www.g2.com/products/opentext-static-application-security-testing/reviews)
  OpenText™ Static Application Security Testing (SAST) is a comprehensive solution designed to identify and remediate security vulnerabilities within an application's source code during the early stages of development. By analyzing code from the "inside out," SAST provides immediate feedback to developers, enabling them to address security issues promptly and effectively. Key Features and Functionality: - Extensive Language Support: Supports over 33 programming languages and more than 1,400 vulnerability categories, ensuring broad applicability across various development environments. - Integration with Development Tools: Seamlessly integrates with popular Integrated Development Environments (IDEs) such as Eclipse, Visual Studio, and JetBrains, as well as Continuous Integration/Continuous Deployment (CI/CD) tools like Jenkins and Bamboo, facilitating a smooth incorporation into existing workflows. - Scalable Deployment Options: Offers flexible deployment models, including on-premises, cloud-based, and Software as a Service (SaaS) solutions, allowing organizations to choose the setup that best fits their needs. - Advanced Analysis Capabilities: Utilizes multiple algorithms and an expansive knowledge base of secure coding rules to perform thorough code analysis, pinpointing the root causes of vulnerabilities and providing detailed remediation guidance. Primary Value and Problem Solved: OpenText SAST empowers organizations to proactively manage application security by detecting and addressing vulnerabilities early in the Software Development Life Cycle (SDLC). This proactive approach reduces the risk of security breaches, minimizes the cost and effort associated with late-stage remediation, and enhances the overall security posture of applications. By integrating security testing into the development process, OpenText SAST helps developers create more secure code, leading to robust and reliable software products.


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 21

**User Satisfaction Scores:**

- **Test Automation:** 8.7/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.5/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.7/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 7.0/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [OpenText](https://www.g2.com/sellers/opentext)
- **Year Founded:** 1991
- **HQ Location:** Waterloo, ON
- **Twitter:** @OpenText (21,586 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2709/ (23,339 employees on LinkedIn®)
- **Ownership:** NASDAQ:OTEX

**Reviewer Demographics:**
  - **Top Industries:** Financial Services, Banking
  - **Company Size:** 50% Enterprise, 29% Small-Business


#### Pros & Cons

**Pros:**

- Easy Integrations (1 reviews)
- Integrations (1 reviews)
- Integration Support (1 reviews)

**Cons:**

- False Positives (1 reviews)

### 14. [Kiuwan Code Security & Insights](https://www.g2.com/products/kiuwan-code-security-insights/reviews)
  Fast, Flexible Code Security! Kiuwan is a robust, end-to-end application security platform that integrates seamlessly into your development process. Our toolset includes Static Application Security Testing (SAST), Software Composition Analysis (SCA), Software Governance and Code Quality, empowering your team to quickly identify and remediate vulnerabilities. By integrating seamlessly into your CI/CD pipeline, Kiuwan enables early detection and remediation of security issues. Kiuwan supports strict compliance with industry standards including OWASP, CWE, MISRA, NIST, PCI DSS, and CERT, among others. Top features: ✅ Extensive language support: Over 30 programming languages. ✅ Detailed action plans: Prioritize remediation with tailored action plans. ✅ Code Security: Seamless Static Application Security Testing (SAST) integration. ✅ Insights: On-demand or continuous scanning Software Composition Analysis (SCA) to help reduce third-party threats. ✅ One-click Software Bill of Materials (SBOM) generation. Kiuwan is now part of Sembi - a global portfolio of market-leading software brands focused on software quality, security, and developer productivity. Code Smarter. Secure Faster. Ship Sooner


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 29

**User Satisfaction Scores:**

- **Test Automation:** 9.4/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.9/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.9/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.3/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Idera, Inc.](https://www.g2.com/sellers/idera-inc-6c9eda01-43cf-4bd5-b70c-70f59610d9a0)
- **Year Founded:** 1999
- **HQ Location:** Houston, TX
- **Twitter:** @MigrationWiz (483 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/bittitan (69 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Banking
  - **Company Size:** 41% Enterprise, 35% Mid-Market


#### Pros & Cons

**Pros:**

- Accuracy (2 reviews)
- Accuracy of Findings (2 reviews)
- Customer Support (2 reviews)
- Ease of Use (2 reviews)
- Automation Testing (1 reviews)


### 15. [Checkmarx](https://www.g2.com/products/checkmarx/reviews)
  Checkmarx is a type of application security solution designed to help organizations safeguard their software development processes while enhancing efficiency and reducing costs. The Checkmarx One platform stands out in the realm of enterprise-grade security, offering comprehensive protection that addresses the complexities of modern software development, including legacy systems and AI-generated code. By scanning trillions of lines of code annually, Checkmarx enables companies to significantly lower their vulnerability density, ensuring a robust defense against potential threats. The platform is particularly beneficial for software development teams, security professionals, and organizations that prioritize secure coding practices. With the increasing reliance on AI technologies and the rapid pace of software development, Checkmarx One provides essential tools to mitigate risks associated with both traditional and emerging programming languages. Its innovative architecture, powered by autonomous security agents and AI-native intelligence, allows organizations to integrate security seamlessly into their development workflows, thereby accelerating development velocity without compromising on safety. Key features of Checkmarx One include Triage Assist, which employs an autonomous AI agent to prioritize vulnerabilities based on real-world exploitability and contextual risk. This feature empowers teams to concentrate their efforts on the most critical issues rather than getting bogged down by static severity scores. Additionally, Remediation Assist generates review-ready fixes for validated vulnerabilities prior to code merges, streamlining the secure delivery process and minimizing the manual overhead typically associated with remediation tasks. Developer Assist is another notable feature, acting as a standalone security agent that identifies risks during the coding process. By providing safe, explainable, and verified fixes directly within the integrated development environment (IDE), it supports developers in maintaining a stable and rapid development pace. Furthermore, the platform includes AI Supply Chain Security, which offers centralized governance and visibility for AI components embedded in applications, ensuring that hidden AI assets are discovered and managed effectively. Lastly, Checkmarx One incorporates advanced analysis engines such as AI SAST and DAST for AI, which enhance security measures across various environments. The AI SAST feature expands detection capabilities to cover emerging and unsupported programming languages, while the DAST for AI strengthens runtime protection in continuous integration and deployment (CI/CD) settings. Together, these features position Checkmarx One as a comprehensive solution for organizations looking to fortify their software development lifecycle against evolving threats.


  **Average Rating:** 4.2/5.0
  **Total Reviews:** 32

**User Satisfaction Scores:**

- **Test Automation:** 8.3/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.3/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 5.6/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Checkmarx](https://www.g2.com/sellers/checkmarx)
- **Company Website:** https://www.checkmarx.com
- **Year Founded:** 2006
- **HQ Location:** Paramus, NJ
- **Twitter:** @Checkmarx (7,266 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/checkmarx (997 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 58% Enterprise, 25% Mid-Market


#### Pros & Cons

**Pros:**

- Implementation Ease (2 reviews)
- User Interface (2 reviews)
- Accuracy of Results (1 reviews)
- Automation Testing (1 reviews)
- Customer Support (1 reviews)

**Cons:**

- False Positives (1 reviews)
- Lacking Features (1 reviews)
- Missing Features (1 reviews)
- Poor Navigation (1 reviews)

### 16. [Veracode Application Security Platform](https://www.g2.com/products/veracode-application-security-platform/reviews)
  Veracode helps companies that innovate through software deliver secure code on time. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline,empower developers to fix security defects, and scales your program through best practices to achieve your desired outcomes. Veracode covers your all your AppSec needs in one solution through a combination of five analysis types available for 24 programming languages, 77 frameworks, and application types as varied as microservices, mainframe and mobile apps.


  **Average Rating:** 3.8/5.0
  **Total Reviews:** 24

**User Satisfaction Scores:**

- **Test Automation:** 9.2/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 7.9/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.0/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.3/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [VERACODE](https://www.g2.com/sellers/veracode)
- **Year Founded:** 2006
- **HQ Location:** Burlington, MA
- **Twitter:** @Veracode (21,992 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/27845/ (505 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services
  - **Company Size:** 72% Enterprise, 28% Mid-Market


#### Pros & Cons

**Pros:**

- Security (2 reviews)
- Vulnerability Detection (2 reviews)
- Accuracy of Results (1 reviews)
- Automated Scanning (1 reviews)
- Code Quality (1 reviews)

**Cons:**

- Expensive (1 reviews)
- Licensing Issues (1 reviews)
- Pricing Issues (1 reviews)

### 17. [Invicti (formerly Netsparker)](https://www.g2.com/products/invicti-formerly-netsparker/reviews)
  Invicti is an automated application and API security testing solution that allows enterprise organizations to secure thousands of websites, web apps, and APIs and dramatically reduce the risk of attack. By empowering security teams with the most unique DAST + IAST scanning capabilities on the market, Invicti allows organizations with complicated environments to confidently automate their web application and API security. With Invicti, security teams can: - Automate security tasks and save hundreds of hours each month - Gain complete visibility into all your applications — even those that are lost, forgotten, or hidden - Automatically give developers rapid feedback that trains them to write more secure code — so they create fewer vulnerabilities over time - Feel confident that you are equipped with the most powerful application security scanning tool on the market You have the most demanding security needs, and Invicti is the best-in-class application security solution you deserve.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 65

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.9/10 (Category avg: 9.2/10)


**Seller Details:**

- **Seller:** [Invicti Security](https://www.g2.com/sellers/invicti-security-04cb0d3d-fd96-45b2-83dc-2038fc9dac92)
- **Company Website:** https://www.invicti.com/
- **Year Founded:** 2018
- **HQ Location:** Austin, Texas
- **Twitter:** @InvictiSecurity (2,565 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/invicti-security/people/ (332 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 47% Enterprise, 26% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (9 reviews)
- Scanning Technology (7 reviews)
- Features (6 reviews)
- Reporting Quality (6 reviews)
- Vulnerability Detection (6 reviews)

**Cons:**

- Poor Customer Support (3 reviews)
- Slow Performance (3 reviews)
- Slow Scanning (3 reviews)
- API Issues (2 reviews)
- Complex Setup (2 reviews)

### 18. [HCL AppScan](https://www.g2.com/products/hcl-appscan/reviews)
  HCL AppScan is a comprehensive suite of market-leading application security testing solutions (SAST, DAST, IAST, SCA, API), available on-premises and on-cloud. These powerful DevSecOps tools pinpoint application vulnerabilities, allowing for quick remediation in every phase of the software development lifecycle. Fast and Accurate Scanning for Secure DevOps Developers and DevOps teams can quickly and accurately scan code, applications, and APIs for security vulnerabilities while applications are being developed. This allows companies to fix issues at the earliest stages of the software development lifecycle, when it is least costly to the business. Focus on the Fix Continuous monitoring with IAST, along with auto issue correlation with DAST and SAST scan results allows DevOps teams to group and prioritize findings for faster, more streamlined remediation. Enterprise Management for Security Teams Centralized, easy-to-use dashboards provide visibility and oversight of all security scanning and remediation, and allow users to set scan parameters and compliance policies.


  **Average Rating:** 4.1/5.0
  **Total Reviews:** 74

**User Satisfaction Scores:**

- **Test Automation:** 8.4/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.5/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.3/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [HCL Technologies](https://www.g2.com/sellers/hcl-technologies)
- **Year Founded:** 1999
- **HQ Location:** Noida, Uttar Pradesh
- **Twitter:** @hcltech (425,575 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/1756/ (251,431 employees on LinkedIn®)
- **Ownership:** NSE - National Stock Exchange of India

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer & Network Security
  - **Company Size:** 54% Enterprise, 28% Small-Business


### 19. [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews)
  JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog.


  **Average Rating:** 4.2/5.0
  **Total Reviews:** 112

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 8.5/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.4/10 (Category avg: 9.2/10)


**Seller Details:**

- **Seller:** [JFrog Ltd](https://www.g2.com/sellers/jfrog-ltd)
- **Company Website:** https://jfrog.com
- **Year Founded:** 2008
- **HQ Location:** Sunnyvale, CA
- **Twitter:** @jfrog (23,164 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jfrog-ltd/ (2,292 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** DevOps Engineer, Software Engineer
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 51% Enterprise, 32% Mid-Market


#### Pros & Cons

**Pros:**

- Features (18 reviews)
- Repository Management (14 reviews)
- Deployment (13 reviews)
- Integrations (12 reviews)
- Easy Integrations (11 reviews)

**Cons:**

- Complexity (9 reviews)
- Expensive (8 reviews)
- Learning Curve (8 reviews)
- Difficult Learning (7 reviews)
- Learning Difficulty (7 reviews)

### 20. [NowSecure](https://www.g2.com/products/nowsecure/reviews)
  NowSecure Inc., based in Oak Park, Illinois, was formed in 2009 with a mission to advance mobile security worldwide. We help secure mobile devices, enterprises and mobile apps.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 27

**User Satisfaction Scores:**

- **Test Automation:** 7.9/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.3/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.7/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 8.3/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [NowSecure](https://www.g2.com/sellers/nowsecure)
- **Year Founded:** 2009
- **HQ Location:** Chicago, Illinois
- **Twitter:** @nowsecuremobile (6,389 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/nowsecure (104 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 41% Mid-Market, 37% Enterprise


### 21. [Codacy](https://www.g2.com/products/codacy/reviews)
  Codacy is the only DevSecOps platform that delivers plug-and-play code health and security scanning for AI and human generated code. Future-proof your software – from source code to runtime – without extra servers or build steps. Deploy within minutes and stay ahead of emerging risks today. BUILT FOR HUMANS, READY FOR AI Seamless Git and IDE integrations make Codacy a daily coach your devs can trust, not just another browser tab. AI-generated code is no exception – leaving up to 50% of your codebase exposed to a new wave of zero-days. Empower your devs to use Copilot and Cursor with confidence, not concern. CODE HEALTH & SECURITY FOR ANY STACK While healthy coding standards make your apps and infra run smoothly, Codacy equips your devs with the largest AppSec suite on the market – SAST, hardcoded secrets, dependency checks, SBOM, license scanning, DAST, and pentesting – safeguarding your business every step of the way. PIPELINE-LESS CODE AND RUNTIME SCANS Codacy scans run entirely in the cloud, eliminating the need for servers or build steps. A simple one-click webhook integration gets every commit and Pull Request scanned on the fly, across 49 languages and frameworks – ready for codebases of any size and flavor, and SOC 2 Type 2 certified.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 29

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.1/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.1/10 (Category avg: 9.2/10)


**Seller Details:**

- **Seller:** [Codacy](https://www.g2.com/sellers/codacy)
- **Year Founded:** 2012
- **HQ Location:** Lisbon, Lisboa
- **Twitter:** @codacy (5,025 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/3310124/ (73 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software
  - **Company Size:** 59% Small-Business, 24% Mid-Market


#### Pros & Cons

**Pros:**

- Security (2 reviews)
- Automation (1 reviews)
- Automation Testing (1 reviews)
- Code Quality (1 reviews)
- Customer Support (1 reviews)

**Cons:**

- Expensive (1 reviews)

### 22. [GuardRails](https://www.g2.com/products/guardrails-guardrails/reviews)
  GuardRails is an end-to-end security platform that makes AppSec easier for both security and development teams. We scan, detect, and provide real-time guidance to fix vulnerabilities early. Trusted by hundreds of teams around the world to build safer apps, GuardRails integrates seamlessly into the developers’ workflow, quietly scans as they code, and shows how to fix security issues on the spot via Just-in-Time training. GuardRails commits to keeping the noise low and only reporting high-impact vulnerabilities that are relevant to your organization. GuardRails helps organizations shift security everywhere and build a strong DevSecOps pipeline, so they can go faster to market without risking security.


  **Average Rating:** 4.3/5.0
  **Total Reviews:** 29

**User Satisfaction Scores:**

- **Test Automation:** 10.0/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.1/10)
- **Quality of Support:** 8.5/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 9.2/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [GuardRails](https://www.g2.com/sellers/guardrails)
- **Year Founded:** 2017
- **HQ Location:** Singapore, Singapore
- **Twitter:** @guardrailsio (1,554 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/13599521 (13 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Financial Services
  - **Company Size:** 52% Small-Business, 48% Mid-Market


#### Pros & Cons

**Pros:**

- Security (13 reviews)
- Vulnerability Detection (11 reviews)
- Ease of Use (9 reviews)
- Error Reduction (9 reviews)
- Threat Detection (9 reviews)

**Cons:**

- Missing Features (4 reviews)
- Time Management (3 reviews)
- Bug Issues (2 reviews)
- Dashboard Issues (2 reviews)
- False Positives (2 reviews)

### 23. [ZeroPath](https://www.g2.com/products/zeropath/reviews)
  ZeroPath (YC S24) is the first AI-native application security platform that fundamentally reimagines how organizations find and fix vulnerabilities. Unlike deterministic SAST tools that bolt AI onto legacy rule engines, ZeroPath was built from the ground up to combine large language models with advanced program analysis (AST, data flow, taint tracking) by Ex-Tesla Red Team and Google Security engineers. ZeroPath's core differentiation is detecting critical vulnerabilities that pattern-matching SAST fundamentally cannot find. It catches IDORs, authorization bypasses, race conditions, and authentication bugs by reasoning about application behavior and developer intent. This capability achieved a 92% alert reduction when triaging findings from legacy tools. ZeroPath is best suited for enterprises and startups that want a complete appsec experience with: AI-powered SAST across 16+ languages, SCA with exploitability analysis (90% noise reduction by determining if dependency CVEs are actually reachable in your code), secrets detection with validation, IaC scanning for Terraform/CloudFormation/Kubernetes, and natural language security policies. Context-aware autopatch generation fixes 70% of vulnerabilities automatically with framework-specific patches that match your coding standards. To keep the developer experience seamless, ZeroPath integrates into existing workflows with zero configuration. It provides Sub-60-second PR scans on GitHub, GitLab, Bitbucket, and Azure DevOps to provide instant security feedback without blocking development. Developers receive clear explanations, one-click fixes, and can refine patches using natural language commands directly in PR comments. The platform automatically attributes vulnerabilities to responsible developers and syncs bidirectionally with Jira, Linear, and more. Overall, less noise, along with the breadth of integrations, has already made security teams faster in triaging and finding real vulnerabilities. Having been security engineers ourselves, we also understand how important visibility is for the evaluations. ZeroPath users get executive dashboards with real-time MTTR tracking, automated compliance reporting for SOC2 and ISO27001, and risk-based prioritization using CVSS 4.0 scoring. The platform provides complete visibility across organizational repositories, including security models, authentication patterns, and filtering logic, without manual configuration. Our research team dogfeeds our own technology and has discovered CVE-2025-61928 (critical account takeover in better-auth with 300k+ weekly downloads), identified 170+ verified bugs in curl, found 7 vulnerabilities in django-allauth enabling account impersonation, and discovered 0-days in production systems at Netflix, Hulu, and Salesforce. Currently trusted by 750+ companies running 200k+ scans monthly, ZeroPath delivers what security-conscious engineering teams need: more real vulnerabilities, dramatically less noise, and automated fixes that actually work.


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 11

**User Satisfaction Scores:**

- **Test Automation:** 10.0/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 10.0/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.4/10 (Category avg: 9.2/10)


**Seller Details:**

- **Seller:** [ZeroPath](https://www.g2.com/sellers/zeropath)
- **Company Website:** https://zeropath.com
- **Year Founded:** 2024
- **HQ Location:** San Francisco, US
- **LinkedIn® Page:** https://www.linkedin.com/company/zeropathai/ (9 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 36% Small-Business, 27% Mid-Market


#### Pros & Cons

**Pros:**

- Accuracy (6 reviews)
- Accuracy of Findings (6 reviews)
- Security (6 reviews)
- Vulnerability Detection (5 reviews)
- Vulnerability Identification (4 reviews)

**Cons:**

- Bug Issues (2 reviews)
- Bugs (2 reviews)
- Software Bugs (2 reviews)
- Cost Issues (1 reviews)
- Dashboard Issues (1 reviews)

### 24. [Appknox](https://www.g2.com/products/appknox/reviews)
  Appknox is an on-demand mobile application security platform that helps businesses detect and fix security vulnerabilities using an Automated Security Testing suite. We have been successfully reducing delivery timelines, manpower costs & mitigating security threats for Global Banks and Enterprises in 10 + countries.


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 40

**User Satisfaction Scores:**

- **Test Automation:** 8.6/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.8/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.2/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 9.2/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Appknox](https://www.g2.com/sellers/appknox)
- **Year Founded:** 2014
- **HQ Location:** Singapore, Singapore
- **Twitter:** @appknox (3,063 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/3771872/ (82 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Financial Services
  - **Company Size:** 40% Small-Business, 37% Mid-Market


### 25. [Rainforest Application](https://www.g2.com/products/rainforest-technologies-rainforest-application/reviews)
  Rainforest is the all-in-one cyber security platform with an end-to-end approach to simplify corporate reputation protection by using multiple intelligences and proactive observability, adding Application and Cloud Security (from DevOps to DevSecOps), Vulnerability Intelligence, and Brand reputation (Fraud and Leak monitoring). Rainforest Application, Rainforest Cloud, and Rainforest Asset modules allow development and security teams have visibility of all applications lifecycle, in a simple and quick way, providing vulnerability management always that a new line is coded. Rainforest Fraud, Rainforest Leak, and Rainforest Asset build an integrated vision of Vulnerability and Brand Intelligence, guiding security and compliance teams in an efficient manner on potential exposure points, according to their importance to the business regarding the company's reputation.


  **Average Rating:** 4.9/5.0
  **Total Reviews:** 12

**User Satisfaction Scores:**

- **Test Automation:** 9.0/10 (Category avg: 8.6/10)
- **Has the product been a good partner in doing business?:** 9.8/10 (Category avg: 9.1/10)
- **Quality of Support:** 9.8/10 (Category avg: 9.2/10)
- **Black-Box Scanning:** 9.0/10 (Category avg: 8.2/10)


**Seller Details:**

- **Seller:** [Rainforest Technologies](https://www.g2.com/sellers/rainforest-technologies)
- **HQ Location:** Wilmington, Delaware
- **LinkedIn® Page:** https://www.linkedin.com/company/80967943 (12 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Company Size:** 42% Mid-Market, 42% Small-Business




## Parent Category

[DevSecOps Software](https://www.g2.com/categories/devsecops)



## Related Categories

- [Static Code Analysis Tools](https://www.g2.com/categories/static-code-analysis)
- [Vulnerability Scanner Software](https://www.g2.com/categories/vulnerability-scanner)
- [Dynamic Application Security Testing (DAST) Software](https://www.g2.com/categories/dynamic-application-security-testing-dast)
- [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis)
- [Secure Code Review Software](https://www.g2.com/categories/secure-code-review)
- [Interactive Application Security Testing (IAST) Software](https://www.g2.com/categories/interactive-application-security-testing-iast)
- [Software Supply Chain Security Solutions](https://www.g2.com/categories/software-supply-chain-security-tools)