# Best Static Application Security Testing (SAST) Software - Page 4 *By [Lauren Worth](https://research.g2.com/insights/author/lauren-worth)* Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code. These tools are frequently used by companies with [continuous delivery](https://www.g2.com/categories/continuous-delivery) practices to identify flaws prior to deployment. SAST tools provide vulnerability information and remediation suggestions for development teams to resolve. There is relation and overlap between SAST tools and [static code analysis](https://www.g2.com/categories/static-code-analysis) software, but SAST products are more focused on security testing. Static code analysis products, on the other hand, combine a number of analytical practices, test management, and team collaboration features. [SAST vs DAST](https://research.g2.com/blog/sast-vs-dast) — Learn the difference To qualify for inclusion in the Static Application Security Testing (SAST) category, a product must: - Test applications to identify vulnerabilities - Not execute code during testing, or have the ability to run static tests - Provide information on relative vulnerabilities and exploits ## Best Static Application Security Testing (SAST) Software At A Glance - **Leader:** [GitHub](https://www.g2.com/products/github/reviews) - **Highest Performer:** [Kiuwan Code Security & Insights](https://www.g2.com/products/kiuwan-code-security-insights/reviews) - **Easiest to Use:** [GitGuardian](https://www.g2.com/products/gitguardian/reviews) - **Top Trending:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews) - **Best Free Software:** [GitHub](https://www.g2.com/products/github/reviews) --- **Sponsored** ### Proscan Proscan is a unified application security platform designed to help organizations streamline the management of their security tools. By integrating multiple standalone solutions into a single cohesive experience, Proscan provides comprehensive security visibility across the entire software stack. This platform replaces the complexity of managing various tools for static analysis, dynamic testing, and dependency scanning, allowing teams to focus on building secure applications without the hassle of juggling disparate systems. The platform is particularly beneficial for security teams, developers, and engineering leaders who require a consolidated view of application security risks. Proscan combines nine specialized security scanners, including Static Application Security Testing (SAST), which analyzes source code in over 30 programming languages using advanced detection methods. Dynamic Application Security Testing (DAST) further enhances security by testing live applications, identifying vulnerabilities that may only become apparent during runtime. Additionally, Software Composition Analysis (SCA) evaluates open-source dependencies across 196 package ecosystems, helping organizations detect known vulnerabilities before they can impact production environments. Proscan's capabilities extend beyond code analysis. It includes scanning for hardcoded secrets, misconfigurations in Infrastructure-as-Code, and vulnerabilities in container images. The platform also offers API security testing that validates endpoints against the OWASP API Security Top 10, ensuring robust protection for applications that leverage APIs. For organizations developing AI-powered applications, Proscan features a dedicated AI and LLM security scanner that identifies potential risks associated with prompt injections and other vulnerabilities, utilizing over 4,600 techniques mapped to the OWASP LLM Top 10. Artificial intelligence plays a crucial role in enhancing Proscan's efficiency and accuracy. The platform employs machine-learning algorithms to reduce false positives and prioritize vulnerabilities based on their potential impact. This intelligent approach allows teams to focus on the most critical security issues while providing clear explanations and actionable remediation guidance. Proscan integrates seamlessly into existing development workflows, offering IDE plugins and native CI/CD integrations that ensure security checks are part of the development process without causing disruptions. Compliance readiness is another key feature of Proscan, as it generates audit-ready reports aligned with major security standards, including OWASP Top 10, PCI DSS, HIPAA, and GDPR. This automated evidence collection simplifies the compliance process, providing organizations with the necessary documentation in various formats. Proscan is designed for security teams looking to consolidate fragmented toolchains, developers needing quick feedback, and managed security service providers managing multiple client environments, making it a versatile solution for modern application security challenges. [Visit company website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=paid_promo&secure%5Bad_slot%5D=category_product_list&secure%5Bcategory_id%5D=1520&secure%5Bmedium%5D=sponsored&secure%5Bprioritized%5D=false&secure%5Bproduct_id%5D=1777455&secure%5Bresource_id%5D=1520&secure%5Bresource_type%5D=Category&secure%5Bsource_type%5D=category_page&secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fstatic-application-security-testing-sast%3Fpage%3D4%26segment%3Dall%26selected_view%3Dgrid&secure%5Btoken%5D=8c77ce68dc47bac1f22247c01baa07c03f185f9c1dce70b665857bda77f489c9&secure%5Burl%5D=https%3A%2F%2Fwww.proscan.one%2Fpricing&secure%5Burl_type%5D=paid_promos) --- ## Top-Rated Products (Ranked by G2 Score) ### 1. [Corgea](https://www.g2.com/products/corgea/reviews) AI Powered SAST **Seller Details:** - **Seller:** [Corgea](https://www.g2.com/sellers/corgea) - **Year Founded:** 2023 - **HQ Location:** San Francisco, US - **LinkedIn® Page:** https://www.linkedin.com/company/corgea (6 employees on LinkedIn®) ### 2. [Devknox](https://www.g2.com/products/devknox/reviews) Devknox is a security plugin for the Android Studio IDE that detects and corrects security issues as you write code, real-time. Simply install the plugin and let Devknox detect, suggest and remediate all your security threats while you code and build your app. **Seller Details:** - **Seller:** [Appknox](https://www.g2.com/sellers/appknox) - **Year Founded:** 2014 - **HQ Location:** Singapore, Singapore - **Twitter:** @appknox (3,062 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/3771872/ (80 employees on LinkedIn®) ### 3. [Enso Security](https://www.g2.com/products/enso-security/reviews) Enso Application Security Posture is a platform for AppSec teams to manage their day-to-day work, implement their security strategy into an AppSec organizational program, enforce it and automate it. And all of that in a scalable rapidly changing environment. AppSec teams struggle with prioritization - they may have a vision and concept of how to handle AppSec, but they don’t know where to invest and what actions to take. To keep up with R&D velocity and scale, Enso provides full visibility on the application inventory, focuses the AppSec teams on the most important tasks and insights, and takes a policy-based “call to action” approach so that the AppSec professionals won’t waste their time looking for application changes, prioritizing, or doing manual work. **Seller Details:** - **Seller:** [Enso Security](https://www.g2.com/sellers/enso-security) - **HQ Location:** Boston, Massachusetts, United States - **LinkedIn® Page:** https://www.linkedin.com/company/enso-security/ (1,331 employees on LinkedIn®) ### 4. [Fluid Attacks Continuous Hacking](https://www.g2.com/products/fluid-attacks-continuous-hacking/reviews) Implement Fluid Attacks' comprehensive, AI-powered solution into your SDLC and develop secure software without delays. As an all-in-one solution, Fluid Attacks accurately finds and helps you remediate vulnerabilities throughout the SDLC and ensures secure software development. The solution integrates its AI, automated tool, and team of pentesters to perform SAST, SCA, DAST, CSPM, SCR, PtaaS and RE to help you improve your security posture. This way, Fluid Attacks delivers accurate knowledge of the security status of your application. This means security goes alongside innovation without hindering your speed. Fluid Attacks provides you with expert knowledge about vulnerabilities and support options that enable you to remediate the security issues in your application. **Seller Details:** - **Seller:** [Fluid Attacks](https://www.g2.com/sellers/fluid-attacks) - **Year Founded:** 2001 - **HQ Location:** San Francisco, US - **LinkedIn® Page:** https://www.linkedin.com/company/fluidattacks/ (136 employees on LinkedIn®) - **Phone:** +14154042154 ### 5. [ForAllSecure](https://www.g2.com/products/forallsecure/reviews) Mayhem Security, formerly known as ForAllSecure, is a provider of autonomous application security solutions designed to identify and remediate vulnerabilities in software applications and APIs. Leveraging advanced artificial intelligence and dynamic analysis techniques, Mayhem Security offers a comprehensive platform that integrates seamlessly into development workflows, enabling organizations to enhance their security posture without compromising development speed. Key Features and Functionality: - Code Security: Mayhem tests applications by simulating real-world attack scenarios, pinpointing vulnerabilities, and guiding rapid remediation efforts. - API Security: The platform provides continuous validation and verification of APIs, ensuring they are robust against potential threats. - Dynamic Software Bill of Materials (SBOM: Mayhem's Dynamic SBOM reduces security alert noise by up to 80% by analyzing an application's runtime behavior to identify only exploitable vulnerabilities, thereby minimizing false positives. - Advanced Fuzz Testing: Utilizing AI-powered, network-aware fuzzing combined with symbolic execution, Mayhem conducts intelligent triage to uncover defects that might otherwise go unnoticed. - Seamless Integration: Mayhem integrates with popular development tools and platforms, including GitHub, Jenkins, GitLab, Jira, Slack, and more, facilitating easy adoption into existing workflows. Primary Value and Problem Solved: Mayhem Security addresses the critical challenge of securing software applications in an era of rapid development and deployment. By automating the process of vulnerability detection and remediation, Mayhem enables development teams to focus on innovation while ensuring their applications are secure. The platform's ability to reduce false positives and provide actionable insights accelerates the development lifecycle, enhances software reliability, and protects organizations from potential cyber threats. **Seller Details:** - **Seller:** [ForAllSecure](https://www.g2.com/sellers/forallsecure) - **Year Founded:** 2012 - **HQ Location:** Pittsburgh, US - **LinkedIn® Page:** https://www.linkedin.com/company/mayhemsecurity (21 employees on LinkedIn®) ### 6. [FuzzLabs](https://www.g2.com/products/fuzzlabs/reviews) FuzzLabs is the most comprehensive fuzzer for finding bugs and zero-day vulnerabilities in custom/proprietary products, protocols, and complex environments. **Seller Details:** - **Seller:** [Guardara](https://www.g2.com/sellers/guardara) - **Year Founded:** 2018 - **HQ Location:** London, GB - **LinkedIn® Page:** http://www.linkedin.com/company/guardara (1 employees on LinkedIn®) ### 7. [Hexway ASOC](https://www.g2.com/products/hexway-asoc/reviews) Universal DevSecOps platform to simplify vulnerability management. Assess, analyze, and assign vulnerabilities, ensuring a secure and controlled environment. **Seller Details:** - **Seller:** [Hexway](https://www.g2.com/sellers/hexway) - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/hexway (2 employees on LinkedIn®) ### 8. [IDA Pro](https://www.g2.com/products/ida-pro/reviews) IDA Pro is a state-of-the-art, multi-processor disassembler and debugger developed by Hex-Rays. It is widely recognized as the gold standard for reverse engineering and binary analysis, enabling professionals to dissect and understand complex software executables across various platforms. With over thirty years of development, IDA Pro combines powerful static and dynamic analysis tools, offering unparalleled support for a vast array of processor architectures and file formats. Its interactive and programmable environment allows users to navigate through disassembled code efficiently, making it an indispensable tool for malware analysis, vulnerability research, and software debugging. Key Features and Functionality: - Multitarget Disassembler: Supports disassembly for over 60 processor families, allowing analysis of diverse binary files. - Integrated Debugger: Facilitates dynamic analysis with support for local and remote debugging across multiple platforms. - Decompilers: Generates high-level, readable pseudocode from machine code, enhancing code comprehension. - Extensibility: Offers APIs, SDKs, and scripting capabilities (including IDAPython for automation and customization. - Interactive Interface: Allows users to edit and redefine disassembly outputs, providing an intuitive analysis experience. - Security and Reliability: Undergoes continuous improvement with regular updates, rigorous testing, and secure coding practices. Primary Value and User Solutions: IDA Pro addresses the critical need for in-depth binary code analysis by providing a comprehensive suite of tools that transform complex machine code into human-readable formats. This capability is essential for cybersecurity professionals, malware analysts, and software developers who require a deep understanding of software behavior, vulnerabilities, and potential threats. By offering both static and dynamic analysis features, along with extensive customization options, IDA Pro empowers users to efficiently reverse-engineer software, identify security flaws, and develop robust solutions to mitigate risks. **Seller Details:** - **Seller:** [Hex-Rays](https://www.g2.com/sellers/hex-rays) - **Year Founded:** 2005 - **HQ Location:** Liège, BE - **LinkedIn® Page:** https://www.linkedin.com/company/hex-rays-sa (31 employees on LinkedIn®) ### 9. [IMCA.AI Code Vulnerability Scanner](https://www.g2.com/products/imca-ai-code-vulnerability-scanner/reviews) IMCA.AI helps organizations 𝗱𝗲𝘁𝗲𝗰𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗮𝗻𝗱 𝗶𝗻𝘁𝗲𝗻𝘁𝗶𝗼𝗻𝗮𝗹𝗹𝘆 𝗵𝗶𝗱𝗱𝗲𝗻 𝗰𝗼𝗱𝗲 that traditional security scanners miss. Using agentic AI workflows and RAG, IMCA analyzes source code contextually to 𝘂𝗻𝗰𝗼𝘃𝗲𝗿 𝗯𝗮𝗰𝗸𝗱𝗼𝗼𝗿𝘀, 𝗶𝗻𝘀𝗶𝗱𝗲𝗿 𝘁𝗵𝗿𝗲𝗮𝘁𝘀, 𝘀𝘂𝗽𝗽𝗹𝘆-𝗰𝗵𝗮𝗶𝗻 𝗿𝗶𝘀𝗸𝘀, 𝗮𝗻𝗱 𝗼𝗯𝗳𝘂𝘀𝗰𝗮𝘁𝗲𝗱 𝗮𝘁𝘁𝗮𝗰𝗸 𝗽𝗮𝘁𝘁𝗲𝗿𝗻𝘀 — across proprietary and open-source codebases. Our platform 𝗿𝗲𝗱𝘂𝗰𝗲𝘀 𝗺𝗮𝗻𝘂𝗮𝗹 𝗿𝗲𝘃𝗶𝗲𝘄 𝗲𝗳𝗳𝗼𝗿𝘁 𝗯𝘆 𝘂𝗽 𝘁𝗼 𝟵𝟬%, integrates into CI/CD pipelines, and supports secure deployment in SaaS, private cloud, or Swiss-hosted environments. IMCA.AI extends existing SAST tools — so security teams can see what others don’t. **Seller Details:** - **Seller:** [IMCA.AI](https://www.g2.com/sellers/imca-ai) - **HQ Location:** Zug, CH - **LinkedIn® Page:** https://www.linkedin.com/company/imca-ai/ (2 employees on LinkedIn®) ### 10. [ImmuniWeb® Neuron Mobile](https://www.g2.com/products/immuniweb-neuron-mobile/reviews) Premium Mobile Application Security Scanning ImmuniWeb® Neuron Mobile unleashes the power of Machine Learning and AI to take SAST and DAST mobile security scanning to the next level. While detecting more vulnerabilities compared to traditional scanners, every vulnerability scan by Neuron Mobile is equipped with a contractual zero false-positives SLA. **Seller Details:** - **Seller:** [ImmuniWeb](https://www.g2.com/sellers/immuniweb-8be8a6d5-dde6-41c6-b289-3ad6257f0258) - **Year Founded:** 2019 - **HQ Location:** Geneva, CH - **Twitter:** @immuniweb (8,483 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/immuniweb/ (33 employees on LinkedIn®) ### 11. [IRIS](https://www.g2.com/products/codeeye-iris/reviews) CodeEye's IRIS is a next-generation application security posture management (ASPM) platform, offers an all-in-one solution with real-time, AI-powered vulnerability and threat detection, correlation, prioritization, and remediation, easing the tension between time-to-market and risk mitigation. How it Works? Unlike traditional ASPM Solutions, IRIS detects vulnerabilities within the product development lifecycle and application infrastructure, while simultaneously providing continuous penetration testing and attack surface management to production environments. IRIS detects, correlates, provides risk-based analysis, and prioritizes application security findings in real time with automated workflows for remediation – all within one platform. IRIS seamlessly integrates with your tools, pipelines, and workflows, and supports your favourite languages. Unlock the Benefits: 1) Centralize detection, prioritization, and remediation of application threats and vulnerabilities. 2) Real-time actionable insights. 3) Establish resilient DevSecOps processes based on risk management. 4) Implement automated workflows to accelerate the identification and resolution of application risks. 5) Adopt a straightforward licensing model. 6) Ability to measure the effectiveness of your application security program. 7) Deploy within 24 hours with simplicity and ease of operation. 8) Built-in policy compliance measures. Next-Gen ASPM Managed Service In today's digital landscape, organizations grapple with deciphering and prioritizing the criticality of code and application related threats and vulnerabilities. The scarcity and expense of specialized talent capable of bridging the gap between DevOps and SecOps exacerbates this challenge. CodeEye's expertise in Application Security provides a Continuous AppSec Partner, accelerating program maturity with expert guidance and advanced technology. Our IRIS Managed Service centralizes application risk management, helping you define compliance measures and policies for prioritization and remediation, ensuring you grasp and address program risk in real-time. Key Features - Static Application Security Testing (SAST): Scans your source code for security risks before an issue goes to production. - Software Composition Analysis (SCA): Continuously monitors your code for known vulnerabilities and other security risks. - Container Scanning: Scans your container in real time for packages that contain security threats and vulnerabilities. - Dynamic Application Security Testing (DAST): Dynamically tests your production applications for vulnerabilities through simulated attacks. - Attack Surface Management (ASM): Continuously identifies, monitors, and manages external internet-connected assets for potential attack vectors and exposures. - Risk and Compliance: Continuously evaluates regulatory and internal security policy compliance using real-time and historical reporting. Vendor of Record Award CodeEye's IRIS is recognized as a Vendor of Record by the Ministry of Government and Consumer Services for IT Security Products In 2024, NIST updated its Cyber Security Framework (CSF) with significant implications for security by design and secure SDLC. Our Risk and Compliance module supports compliance with NIST CSF 2.0 throughout the software development lifecycle. Gain a comprehensive view of various scanning modules aligned with the CSF's five core functions: Identify, Protect, Detect, Respond, and Recover. Our Difference: An all-in-one platform with straight forward licensing and seamless integration. Your Results: A tool that works with your existing tools and workflows, providing security without hidden costs or complexities. Our Difference: Continuous penetration testing and attack surface management. Your Results: Identify and close gaps before an attacker exploits them across your ever-changing attack surface. Our Difference: Quick and Easy Deployment Your Results: Security monitoring and testing within 24 hours, without extensive setup or training. Our difference: Built-in risk and compliance policy module Your Results: Ensure regulatory and internal compliance with built-in policy measures aligned with industry standards like NIST CSF 2.0. Our Difference: Automated Workflows for remediation. Your Results: Rapid risk mitigation, reducing the time, effort and cost of finding and fixing vulnerabilities to ensure continuous protection. Our Difference: Real-Time, AI-powered vulnerability Your Results: Immediately identify and address security threats with precise, actionable intelligence. Our Difference: Threat and vulnerability detection, correlation, and risk-based analysis. Your Results: Simplified security operations where critical vulnerabilities are addressed first. **Seller Details:** - **Seller:** [CodeEye](https://www.g2.com/sellers/codeeye) - **Year Founded:** 2015 - **HQ Location:** Toronto, CA - **Twitter:** @CodeEyeAI (6 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/15246398 (18 employees on LinkedIn®) ### 12. [IronSCAN](https://www.g2.com/products/ironscan/reviews) Quick and reliable security assessment platform that scans your mobile application for vulnerabilities without the need for high-profile penetration testing's. IronSCAN assessment platform provides quick and easy vulnerability identification and remediation, without the need for custom plugins or programming. Scan across multiple platforms and applications with ease using integrated scanners. Audit your entire infrastructure in minutes, not days! **Seller Details:** - **Seller:** [SecIron](https://www.g2.com/sellers/seciron) - **Year Founded:** 2017 - **HQ Location:** Tokyo, JP - **LinkedIn® Page:** https://www.linkedin.com/company/seciron/ (15 employees on LinkedIn®) ### 13. [Mobix](https://www.g2.com/products/mobix/reviews) Mobix is a SaaS mobile application testing platform that reduces application analysis costs and time, making tests creation and finding vulnerabilities effortless. Mobix's unique characteristics include: - Non-invasive tool, which augments existing SDLC (Software Development Life Cycle) - Automates 90% of the entire test coverage for dynamic and static analysis - No code, plug and play analysis - Automated recording of tests - Machine Learning to automatically adapt auto-tests - Scalable multithread testing, custom scan rules - Compliance to all major mobile security standards **Seller Details:** - **Seller:** [Swordfish Security](https://www.g2.com/sellers/swordfish-security) - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®) ### 14. [Nullify](https://www.g2.com/products/nullify/reviews) Get autonomous AppSec engineers with one click. We build AI agents that autonomously perform the first level of application security in developer environments. **Seller Details:** - **Seller:** [Nullify](https://www.g2.com/sellers/nullify) - **HQ Location:** San Francisco, US - **LinkedIn® Page:** http://www.linkedin.com/company/nullifyai (27 employees on LinkedIn®) ### 15. [PHP Secure Vulnerability Scanner](https://www.g2.com/products/php-secure-vulnerability-scanner/reviews) Every second, a website around the world is hacked. Over 60% of websites are vulnerable to SQL injection. Leakage of personal data, theft of money and even the site destruction - this is what vulnerabilities of your sites and scripts can result in. PHP Secure is a code scanner that analyzes your PHP code for vulnerabilities. PHP Secure detects an exploit—SQL, Command injections, XSS, PHP Serialize Injections, RCE, Double Escaping, Directory Traversal, ReDos—alerts you to the threat, gives explicit reports and recommendations to fix them. PHP Secure Scanner is suitable for analyzing sites on Php, framework Laravel, and CMS Wordpress, Drupal and Joomla. It’s as simple as clicking the Scan button and uploading your code. You can also link your Git repository, which PHP Secure can automatically connect to and scan. After being scanned, code is immediately deleted from the server. When registering, you will get 6 months free access to PHP Secure scanner, while similar solutions, like the salary of a code security specialist, can cost $10,000 a month. A mega discount for new users while the product is in the beta phase. Hurry to take advantage of this limited-time offer! **Seller Details:** - **Seller:** [Julia K](https://www.g2.com/sellers/julia-k) - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®) ### 16. [Proscan](https://www.g2.com/products/proscan/reviews) Proscan is a unified application security platform designed to help organizations streamline the management of their security tools. By integrating multiple standalone solutions into a single cohesive experience, Proscan provides comprehensive security visibility across the entire software stack. This platform replaces the complexity of managing various tools for static analysis, dynamic testing, and dependency scanning, allowing teams to focus on building secure applications without the hassle of juggling disparate systems. The platform is particularly beneficial for security teams, developers, and engineering leaders who require a consolidated view of application security risks. Proscan combines nine specialized security scanners, including Static Application Security Testing (SAST), which analyzes source code in over 30 programming languages using advanced detection methods. Dynamic Application Security Testing (DAST) further enhances security by testing live applications, identifying vulnerabilities that may only become apparent during runtime. Additionally, Software Composition Analysis (SCA) evaluates open-source dependencies across 196 package ecosystems, helping organizations detect known vulnerabilities before they can impact production environments. Proscan's capabilities extend beyond code analysis. It includes scanning for hardcoded secrets, misconfigurations in Infrastructure-as-Code, and vulnerabilities in container images. The platform also offers API security testing that validates endpoints against the OWASP API Security Top 10, ensuring robust protection for applications that leverage APIs. For organizations developing AI-powered applications, Proscan features a dedicated AI and LLM security scanner that identifies potential risks associated with prompt injections and other vulnerabilities, utilizing over 4,600 techniques mapped to the OWASP LLM Top 10. Artificial intelligence plays a crucial role in enhancing Proscan's efficiency and accuracy. The platform employs machine-learning algorithms to reduce false positives and prioritize vulnerabilities based on their potential impact. This intelligent approach allows teams to focus on the most critical security issues while providing clear explanations and actionable remediation guidance. Proscan integrates seamlessly into existing development workflows, offering IDE plugins and native CI/CD integrations that ensure security checks are part of the development process without causing disruptions. Compliance readiness is another key feature of Proscan, as it generates audit-ready reports aligned with major security standards, including OWASP Top 10, PCI DSS, HIPAA, and GDPR. This automated evidence collection simplifies the compliance process, providing organizations with the necessary documentation in various formats. Proscan is designed for security teams looking to consolidate fragmented toolchains, developers needing quick feedback, and managed security service providers managing multiple client environments, making it a versatile solution for modern application security challenges. **Seller Details:** - **Seller:** [Proscan](https://www.g2.com/sellers/proscan) - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®) ### 17. [Puma Scan](https://www.g2.com/products/puma-scan/reviews) Puma Scan runs as engineers write code. Real-time results. Puma Scan Editions include Server, Azure DevOps and End User. **Seller Details:** - **Seller:** [Puma Scan](https://www.g2.com/sellers/puma-scan) - **Year Founded:** 2016 - **HQ Location:** West Des Moines, US - **Twitter:** @puma_scan (302 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/puma-security-llc/ (16 employees on LinkedIn®) ### 18. [PVS-Studio](https://www.g2.com/products/pvs-studio/reviews) PVS-Studio is a SAST solution that helps enhance code quality, security, and safety. The analyzer detects bugs and potential vulnerabilities in C, C++, C#, and Java code on Windows, Linux, and macOS. Features - Supports various analysis types (intermodular, incremental, data flow analysis, taint analysis); - Can be used offline; - Provides cross-platform integration; - Offers ways to handle false positives; - Helps small and large teams maintain code quality. Pros - Quick and high-quality support from the analyzer developers; - 900+ diagnostic rules with detailed descriptions and examples; - Compliance with safety and security standards: OWASP TOP 10, MISRA C, C++, AUTOSAR, CWE; - Detailed reports and reminders for developers and managers (Blame Notifier); - User-friendly ways to handle legacy code, including mass suppression of analyzer’s warnings; - Support of the Open Source Community, analysis of open-source projects; - Integration with SonarQube. Pricing - In the commercial version, prices are set on request and can be changed depending on the required set of features; - Free trial is available; - PVS-Studio may offer a free licensing option to students, MVPs, public experts in security, and contributors to open-source projects. **Average Rating:** 5.0/5.0 **Total Reviews:** 1 **User Satisfaction Scores:** - **Quality of Support:** 10.0/10 (Category avg: 9.2/10) **Seller Details:** - **Seller:** [PVS-Studio](https://www.g2.com/sellers/pvs-studio) - **Year Founded:** 2008 - **HQ Location:** Astana, KZ - **Twitter:** @Code_Analysis (5,912 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/pvs-studio/ (29 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 100% Small-Business ### 19. [Quokka Q-mast](https://www.g2.com/products/quokka-q-mast/reviews) Designed for app development, Q-mast embeds security directly into your workflow to identify security, privacy, and compliance risks before the mobile app is released. With a design tailored for DevSecOps workflows, Q-mast supports continuous, automated security testing that aligns with tools like Jenkins, GitLab, and GitHub. Q-mast capabilities: • Automated scanning in minutes, no source code needed • Analysis of compiled app binary, regardless of in-app or run-time obfuscations • Precise SBOM generation and analysis for vulnerability reporting to specific library version, including embedded libraries • Comprehensive static (SAST), dynamic (DAST), interactive (IAST), and forced-path execution app analysis • Malicious behavior profiling, including app collusion • Checks against privacy & security standards: NIAP, NIST, MASVS **Seller Details:** - **Seller:** [Quokka (formerly Kryptowire)](https://www.g2.com/sellers/quokka-formerly-kryptowire) - **Year Founded:** 2011 - **HQ Location:** San Jose, US - **LinkedIn® Page:** https://www.linkedin.com/company/quokka-io/ (53 employees on LinkedIn®) ### 20. [RIPS PHP Analyser](https://www.g2.com/products/rips-php-analyser/reviews) RIPS is the code analysis solution dedicated to the PHP language. It supports all major PHP frameworks, SDLC integration, relevant industry standards and can be deployed as a self-hosted software or used as a cloud service. **Seller Details:** - **Seller:** [RIPS Technologies](https://www.g2.com/sellers/rips-technologies-9dd80c95-3cb3-4465-bd48-26b3d0c20a57) - **Year Founded:** 2008 - **HQ Location:** Vernier, Geneva, Switzerland - **Twitter:** @ripstech (19 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (827 employees on LinkedIn®) ### 21. [Scantist](https://www.g2.com/products/scantist/reviews) Scantist is a spin-off company founded in 2016 working to commercialize the vulnerability research carried out at the Cyber Security Lab at Nanyang Technological University. **Seller Details:** - **Seller:** [Scantist](https://www.g2.com/sellers/scantist) - **Year Founded:** 2016 - **HQ Location:** Singapore, SG - **LinkedIn® Page:** https://www.linkedin.com/company/scantist (15 employees on LinkedIn®) ### 22. [Sec1 ProSAST](https://www.g2.com/products/sec1-prosast/reviews) Sec1 is pioneering innovation in cybersecurity by developing advanced, AI-based products that predict and prevent cyber threats before they strike. Sec1 platform offers the smartest way to stay ahead of vulnerabilities, ensuring security policies are enforced from one powerful, unified interface. Sec1 comprehensive suite of services includes: • Software Composition Analysis (SCA): Detect vulnerabilities in third-party components. • Static Application Security Testing (SAST): Identify security issues in source code during development. • Dynamic Application Security Testing (DAST): Simulate attacks to uncover vulnerabilities in running applications. • World’s Largest Vulnerability Database: AI-enhanced real-time threat insights. • Fix Advisor and Auto Fixes: AI-driven, automated vulnerability remediation. • Cloud Security & Container Scanning: Secure your cloud infrastructure and containerized applications. • Penetration Testing & Cyber Risk Assessment: In-depth security evaluations to uncover risks and strengthen defences. • AI-Based Notification Services: Personalized alerts on emerging threats. • AI-Based Threat Predictor: AI-driven insights to predict and prevent future threats. • Generative AI Security: Advanced security solutions for cloud environments and SCA. **Seller Details:** - **Seller:** [Sec1](https://www.g2.com/sellers/sec1) - **Year Founded:** 2023 - **HQ Location:** Pune, IN - **LinkedIn® Page:** https://www.linkedin.com/company/sec1 (14 employees on LinkedIn®) ### 23. [Seczone](https://www.g2.com/products/seczone/reviews) Products and Services —————————————— Seczone Group offers a comprehensive suite of products and services covering the entire software security development lifecycle (S-SDLC), including: CodeSec - Code Review Platform for Static Application Security Testing (SAST) VulHunter - Gray Box Security Testing Platform for Interactive Application Security Testing (IAST) SourceCheck - Open Source Component Security and Compliance Management Platform (SCA) SFuzz - Fuzz Testing Platform for identifying vulnerabilities through fuzzing techniques RASP - Real-Time Application Self-Protection Platform for runtime application self-protection S-SDLC - R&D Security Full Process Management Platform for end-to-end security management DevSecOps - Integrated Security Management Platform for R&D and Operations https://www.seczone.com/en/ **Seller Details:** - **Seller:** [Seczone Group](https://www.g2.com/sellers/seczone-group) - **Year Founded:** 2013 - **HQ Location:** 深圳市, CN - **LinkedIn® Page:** https://www.linkedin.com/company/seczone/ (24 employees on LinkedIn®) ### 24. [Silk Security](https://www.g2.com/products/silk-security/reviews) Silk security is the platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk. **Seller Details:** - **Seller:** [Silk Security](https://www.g2.com/sellers/silk-security) - **Year Founded:** 2022 - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/silk-security/ (2 employees on LinkedIn®) ### 25. [Snappy Tick](https://www.g2.com/products/snappy-tick/reviews) SnappyTick helps to identify the Vulnerability during Source code review. **Seller Details:** - **Seller:** [Snappycode Audit](https://www.g2.com/sellers/snappycode-audit) - **HQ Location:** N/A - **Twitter:** @snappycodeaudit (2 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®) ## Parent Category [DevSecOps Software](https://www.g2.com/categories/devsecops) ## Related Categories - [Static Code Analysis Tools](https://www.g2.com/categories/static-code-analysis) - [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis) - [Secure Code Review Software](https://www.g2.com/categories/secure-code-review)