Best Static Application Security Testing (SAST) Software

Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code. These tools are frequently used by companies with continuous delivery practices to identify flaws prior to deployment. SAST tools provide vulnerability information and remediation suggestions for development teams to resolve. There is relation and overlap between SAST tools and static code analysis software, but SAST products are more focused on security testing. Static code analysis products, on the other hand, combine a number of analytical practices, test management, and team collaboration features.

To qualify for inclusion in the Static Application Security Testing (SAST) category, a product must:

  • Test applications to identify vulnerabilities
  • Not execute code during testing, or have the ability to run static tests
  • Provide information on relative vulnerabilities and exploits
G2 Grid® for Static Application Security Testing (SAST)
High Performers
Market Presence
Star Rating

Static Application Security Testing (SAST) reviews by real, verified users. Find unbiased ratings on user satisfaction, features, and price based on the most reviews available anywhere.

Compare Static Application Security Testing (SAST) Software

Results: 37
G2 takes pride in showing unbiased ratings on user satisfaction. G2 does not allow for paid placement in any of our ratings.
Results: 37
Filter Results
Filter by:
Sort by
Star Rating
Sort By:

    Coverity static analysis by Synopsys helps development and security teams find and fix defects and security flaws in code as it’s being written. Coverity is highly accurate, supports thousands of developers, and quickly analyzes large projects exceeding 100 million lines of code, helping your teams build secure, high-quality software faster.

    IBM Security AppScan Standard protects against web application attacks and expensive data breaches by automating application security vulnerability testing. Avoid security vulnerabilities Use automated dynamic security testing and advanced static analysis – “black box” and “white box” – to detect developing security issues. Empower accurate scanning Scan websites to identify embedded vulnerabilities. Simplify interpretation of scan results with scan-specific explanations of each issue. Get quick remediation Fix high-priority problems first with streamlined remediation. Make fixes quickly with the provided remediation steps – including code examples and a task list.

    AttackFlow is a solution helps find security and quality weaknesses in software by analyzing the code.

    Checkmarx is the Software Exposure Platform for the enterprise. Over 1,400 organizations around the globe rely on Checkmarx to measure and manage software risk at the speed of DevOps. Checkmarx serves five of the world’s top 10 software vendors, four of the top American banks, and many government organizations and Fortune 500 enterprises, including SAP, Samsung, and Learn more at or follow us on Twitter: @checkmarx.

    bugScout is a next-gen SAST platform for detecting vulnerabilities in application and website source codes, designed by ethical hackers and cybersecurity analysts coming out of Deloitte’s European cyberthreat SOC competency center. Today, source code security audits are snapshots that define the status at a point in time and deliver reports that are already out of date by the time they are finished because the development process is continuous. With its fast performance and scalability, bugScout enables continuous source code analysis. Security audits can keep pace with the speed of the development process, and role-based reports facilitate communications between security analysts and developers to help identify vulnerabilities, pinpoint the causes and remediate the problems.

    Peach Fuzzer is an automated security testing platform that prevents zero-day attacks by findng vulnerabilities in hardware and software systems.

    Qualys WAS is Qualys's platform for end-to-end web application scanning.

    WhiteHat Security is a leader and pioneer in the field of application security. We combine technology and human intelligence to deliver solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and web sites.

    AppSpider is a dynamic application security testing (DAST) solution.

    The latest Minded Security Labs project regards JavaScript Security. We have released a tool called BlueClosure which helps security testers to analyze and discover Client Side security issues.

    Code Dx Enterprise takes the results of all of your scans, processes them, and gives you a short list with no duplicates. It even points out which vulnerabilities were found by more than one tool, and provides an easy interface to prioritize each one based on severity. This can cut your testing time down, and get your application secured without falling behind schedule.

    CodePeer is an Ada source code analyzer that detects run-time and logic errors. It assesses potential bugs before program execution, serving as an automated peer reviewer, helping to find errors easily at any stage of the development life-cycle. CodePeer helps you improve the quality of your code and makes it easier for you to perform safety and/or security analysis.

    CodeSonar, GrammaTech's flagship static analysis SAST tool, identifies bugs that can result in system crashes, unexpected behavior, and security breaches.

    Businesses can focus on what matters to them, remaining highly agile, without putting the organization at risk.

    Secure Your Code from the Very Beginning

    Devknox is a security plugin for the Android Studio IDE that detects and corrects security issues as you write code, real-time. Simply install the plugin and let Devknox detect, suggest and remediate all your security threats while you code and build your app.

    It's stunning. bDefend creates powerful behavior fingerprints and makes new malware signatures for all to use.We defend against viruses that others can't detect.

    You know that uploading unknown code leads to unknown consequences. So why risk it? bDetect takes a quick look and identifies what code is Safe, Suspicious, or Malicious.

    Jtest helps development teams produce better code, test it more efficiently, and consistently monitor progress toward quality goals.

    Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamlessly integration in your SDLC

    Integrated secure development, security testing and continuous monitoring.

    Fortify Static Code Analyzer is designed to identify security vulnerabilities in the user's source code early in the software development lifecycle and provides best practices so developers can code more securely.

    Focused on development teams, reshift is source code analysis tool that automates finding vulnerabilities in source code, and reduces the efforts to re-mediate them.

    RIPS is the code analysis solution dedicated to the PHP language. It supports all major PHP frameworks, SDLC integration, relevant industry standards and can be deployed as a self-hosted software or used as a cloud service.

    Security Testing works with you to create your customized security solution after assessing your current security measures .

    SnappyTick helps to identify the Vulnerability during Source code review.

    Sparrow SAST is designed to detect security weaknesses in source code with its semantic based static program analysis engine.

    Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.

    Threatcare is a cybersecurity platform that allows organizations to simulate intrusions on their network to help improve their people's performance, their processes, and their product utilization.

    DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan is easy to use, requires almost no user input and can be deployed during or after development. It is an efficient alternative to the demanding and time-consuming procedure of manual code reviews. ThunderScan performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate.

    TrueCode is a static application security testing solution.

    Wallarm is an AI-powered application security solution for the teams launching new modular software services or upgrading their existing web applications to a new stack. Wallarm includes an adaptive Next Gen WAF, attack sandboxing, vulnerability scanner and development time testing modules.

    Webreaver is a web application vulnerability scanner.

    WhiteHat Sentinel Source, a part of the WhiteHat Application Security Platform, is our static application security testing (SAST) product. It is used for scanning source code of the most commonly-used programming languages, identifying vulnerabilities, and providing actionable vulnerability reports, as well as offering Software Composition Analysis and ready-to-implement code fixes for certain vulnerabilities. Scanning of binary files for certain languages is also available.