# Best Static Code Analysis Tools *By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)* Static code analysis is the analysis of computer software performed without actually executing the code. Static code analysis tools scan all code in a project and seek out vulnerabilities, validates code against industry best practices, and some software tools validate against company-specific project specifications. Static code analysis tools are used by software development and quality assurance teams to ensure the quality and security of code, and that project requirements are met. Static code analysis is a type of source code management and can integrate with version control systems and through build automation tasks using continuous integration software. To qualify as a static code analysis tool, a product must: - Scan code without executing that code - List security vulnerabilities after scanning - Validate code against industry best practices - Provide recommendations on where and how to fix issues ## Category Overview **Total Products under this Category:** 128 ## Trust & Credibility Stats **Why You Can Trust G2's Software Rankings:** - 30 Analysts and Data Experts - 2,100+ Authentic Reviews - 128+ Products - Unbiased Rankings G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category. ## Best Static Code Analysis Tools At A Glance - **Leader:** [SonarQube](https://www.g2.com/products/sonarqube/reviews) - **Highest Performer:** [Typo](https://www.g2.com/products/typo/reviews) - **Easiest to Use:** [OpsPilot](https://www.g2.com/products/opspilot/reviews) - **Top Trending:** [SonarQube](https://www.g2.com/products/sonarqube/reviews) - **Best Free Software:** [SonarQube](https://www.g2.com/products/sonarqube/reviews) --- **Sponsored** ### JFrog JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog. [Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&secure%5Bad_slot%5D=category_product_list&secure%5Bcategory_id%5D=564&secure%5Bdisplayable_resource_id%5D=2449&secure%5Bdisplayable_resource_type%5D=Category&secure%5Bmedium%5D=sponsored&secure%5Bplacement_reason%5D=neighbor_category&secure%5Bplacement_resource_ids%5D%5B%5D=2041&secure%5Bplacement_resource_ids%5D%5B%5D=1520&secure%5Bprioritized%5D=false&secure%5Bproduct_id%5D=143017&secure%5Bresource_id%5D=564&secure%5Bresource_type%5D=Category&secure%5Bsource_type%5D=category_page&secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fstatic-code-analysis%3Fopen_modal_url%3D%252Fproducts%252Fcontext-context%252Fwishlists%253Fhost_path%253D%25252Fcategories%25252Fstatic-code-analysis%2526source%253Dcategory&secure%5Btoken%5D=3a32f2d2986371750908e131aea5ee235e2863913b4bd3b7b994886c2c20a092&secure%5Burl%5D=https%3A%2F%2Fjfrog.com%2Fartifactory%2F%3Futm_source%3Dg2%26utm_medium%3Dcpc_social%26utm_campaign%3Dbrand_awareness_banner_ad%26utm_content%3Du-bin&secure%5Burl_type%5D=custom_url) --- ## Top-Rated Products (Ranked by G2 Score) ### 1. [SonarQube](https://www.g2.com/products/sonarqube/reviews) Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high-performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at ServiceNow, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company. **Average Rating:** 4.4/5.0 **Total Reviews:** 138 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.5/10 (Category avg: 8.5/10) - **Ease of Use:** 8.5/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [SonarSource Sàrl](https://www.g2.com/sellers/sonarsource-sarl) - **Company Website:** https://www.sonarsource.com - **Year Founded:** 2008 - **HQ Location:** Geneva, Switzerland - **Twitter:** @SonarSource (10,923 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (929 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** DevOps Engineer, Software Engineer - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 42% Enterprise, 39% Mid-Market #### Pros & Cons **Pros:** - Code Quality (24 reviews) - Features (20 reviews) - Issue Identification (19 reviews) - Ease of Use (18 reviews) - Easy Integrations (18 reviews) **Cons:** - Software Bugs (12 reviews) - Complex Configuration (10 reviews) - False Positives (10 reviews) - Complexity (8 reviews) - Complex Setup (8 reviews) ### 2. [Gearset DevOps](https://www.g2.com/products/gearset-devops/reviews) Gearset is the global leader in Salesforce DevOps. It’s a DevOps platform that helps organizations manage, automate, and govern the full Salesforce development lifecycle, from planning and deployment to testing, data management, and compliance. The platform is designed for Salesforce teams that need reliable, scalable DevOps processes across complex org environments. Gearset is used by mid-market and enterprise organizations across regulated and non-regulated industries, including healthcare, financial services, insurance, and technology. Typical users include Salesforce administrators, developers, DevOps engineers, release managers, and platform owners responsible for maintaining deployment quality, security, and operational consistency. The platform supports a wide range of Salesforce use cases, including metadata and CPQ deployments, CI/CD automation, code review workflows, sandbox seeding, test automation, and monitoring. As well as deployment automation, Gearset includes tools for Salesforce data protection and long-term data management, such as automated backups, data restore, and archiving. Observability and Org Intelligence features provide insight into org health, deployment risk, and system changes over time. Gearset also includes governance and compliance capabilities designed for enterprise environments. These features help teams maintain audit readiness and enforce access controls while supporting compliance frameworks such as SOX, ISO, HIPAA, and GDPR. The platform is delivered as a managed service and integrates with Salesforce environments without requiring complex local infrastructure. Key features and capabilities include: - Salesforce metadata, CPQ, and data deployments with CI/CD automation and version control integration - Code review, test automation, and release validation to support quality and consistency - Automated Salesforce backups, restore, and data archiving for data protection and retention - Sandbox seeding, observability, and Org Intelligence to support environment management and visibility - Governance features including audit trails, role-based access controls, and compliance support Gearset is a Salesforce Partner and has supported Salesforce teams globally since 2015. The platform is used by organizations managing multiple orgs (across regions), frequent releases, and complex compliance requirements, helping teams reduce deployment risk, improve operational visibility, and maintain control over Salesforce change management processes. **Average Rating:** 4.7/5.0 **Total Reviews:** 269 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.5/10 (Category avg: 8.7/10) - **Ease of Admin:** 9.3/10 (Category avg: 8.5/10) - **Ease of Use:** 9.2/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Gearset](https://www.g2.com/sellers/gearset) - **Company Website:** https://www.gearset.com - **Year Founded:** 2015 - **HQ Location:** Cambridge, Cambridgeshire - **Twitter:** @GearsetHQ (1,195 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/10478150/ (358 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Salesforce Developer, Salesforce Administrator - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 36% Mid-Market, 34% Small-Business #### Pros & Cons **Pros:** - Ease of Use (25 reviews) - Deployment (21 reviews) - Easy Deployment (17 reviews) - Customer Support (16 reviews) - Deployment Ease (15 reviews) **Cons:** - Deployment Issues (6 reviews) - Complexity (4 reviews) - Data Management (4 reviews) - Expensive (4 reviews) - Missing Features (4 reviews) ### 3. [Semgrep](https://www.g2.com/products/semgrep/reviews) Semgrep is a modern static analysis (SAST), software composition analysis (SCA), and secrets detection platform designed for both developers and security teams. It combines fast, deterministic analysis with context-aware AI that triages findings like a senior security engineer. The AI Assistant helps reduce false positives, prioritize meaningful results, and offers clear remediation guidance. Its “Memories” feature learns from past decisions to further reduce triage noise over time. Semgrep also supports deep analysis of transitive dependencies, not just direct ones, helping teams surface and address hidden risks in their supply chain. It integrates well into modern development workflows and is easy to customize across environments. **Average Rating:** 4.6/5.0 **Total Reviews:** 55 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 8.7/10) - **Ease of Admin:** 9.1/10 (Category avg: 8.5/10) - **Ease of Use:** 9.1/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Semgrep](https://www.g2.com/sellers/semgrep) - **Company Website:** https://semgrep.dev - **Year Founded:** 2017 - **HQ Location:** San Francisco, US - **Twitter:** @semgrep (4,239 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/returntocorp (238 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 45% Enterprise, 42% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (16 reviews) - Features (14 reviews) - Vulnerability Detection (13 reviews) - Scanning Efficiency (12 reviews) - Security (12 reviews) **Cons:** - Not User-Friendly (7 reviews) - Limited Features (6 reviews) - Difficult Learning (5 reviews) - Lack of Guidance (5 reviews) - Learning Curve (5 reviews) ### 4. [Typo](https://www.g2.com/products/typo/reviews) Typo is an AI-driven software engineering intelligence platform that enables dev teams with real-time SDLC visibility, automated code reviews & DevEX insights to code better, deploy faster & stay aligned with business goals. It connects with the existing tool stack within 30 seconds & empowers with : - Real-time SDLC visibility, DORA Metrics & Delivery Intelligence - Automated code reviews, vulnerabilities & auto-fixes - Developer experience insights & potential burnout zones Join 1000+ high-performing engineering teams across the globe that are using Typo to ship reliable software faster. Start your 14-day free trial now at - https://bit.ly/48xeRsc **Average Rating:** 4.6/5.0 **Total Reviews:** 150 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.2/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.8/10 (Category avg: 8.5/10) - **Ease of Use:** 8.9/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 9.8/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Typo](https://www.g2.com/sellers/typo) - **Year Founded:** 2020 - **HQ Location:** Dover, US - **Twitter:** @Typoapp_ (66 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/typoapp/about/ (76 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer, Senior Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 47% Mid-Market, 43% Small-Business #### Pros & Cons **Pros:** - Metrics (18 reviews) - Metrics Analysis (16 reviews) - Features (15 reviews) - Insights (15 reviews) - PR Reviews (14 reviews) **Cons:** - Complex Configuration (5 reviews) - Limited Features (5 reviews) - Metrics Issues (5 reviews) - Missing Features (5 reviews) - Performance Issues (5 reviews) ### 5. [SoftSpell](https://www.g2.com/products/softspell/reviews) SoftSpell is an AI-powered platform that accelerates software delivery and simplifies legacy modernization. It transforms unstructured requirements and existing codebases into structured outputs, enabling faster development with clarity and control. By combining intelligent requirement analysis, context-aware code generation, and automated testing, it ensures end-to-end traceability while reducing manual effort and rework. SoftSpell integrates seamlessly into existing workflows, helping teams deliver high-quality software faster. **Average Rating:** 4.5/5.0 **Total Reviews:** 34 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.9/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.3/10 (Category avg: 8.5/10) - **Ease of Use:** 9.4/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 0/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [SoftSpell](https://www.g2.com/sellers/softspell) - **HQ Location:** Oak Brook, Illinois - **LinkedIn® Page:** https://www.linkedin.com/company/softspell-ai/ (9 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Senior Software Engineer - **Top Industries:** Computer Software, Program Development - **Company Size:** 54% Enterprise, 37% Small-Business #### Pros & Cons **Pros:** - Time-saving (18 reviews) - Coding Assistance (17 reviews) - Automation (15 reviews) - Quality Improvement (14 reviews) - Ease of Use (11 reviews) **Cons:** - Slow Performance (9 reviews) - Prompt Issues (7 reviews) - Limited Multimedia Support (2 reviews) - UX Improvement (2 reviews) - Browser Compatibility (1 reviews) ### 6. [CodeScene](https://www.g2.com/products/codescene/reviews) CodeScene is a code analysis, visualization, and reporting tool. Cross reference contextual factors such as code quality, team dynamics, and delivery output to get actionable insights to effectively reduce technical debt and deliver better code quality. We enable software development teams to make confident, data-driven decisions that fuel performance and developer productivity. CodeScene guides developers and technical leaders to: - Get a holistic overview and evolution of your software system in one single dashboard. - Identify, prioritize, and tackle technical debt based on return on investment. - Maintain a healthy codebase with powerful CodeHealth™ Metrics, spend less time on rework and more time on innovation. - Seamlessly integrate with Pull Requests and editors, get actionable code reviews and refactoring recommendations. - Set Improvement goals and quality gates for teams to work towards while monitoring the progress. - Support retrospectives by identifying areas for improvement. - Benchmark performance against personalized trends. - Understand the social side of the code, measure socio-technical factors like key personnel dependencies, knowledge sharing and inter-team coordination. - Put findings into context based on how your organization and your code evolves. Supporting 28+ programming languages, CodeScene offers an automated integration with GitHub, BitBucket, Azure DevOps or GitLab pull requests to incorporate the analysis results into existing delivery workflows. Get early warnings and recommendations about complex code before merging it to the main branch, set quality gates to trigger in case your code health declines. **Average Rating:** 4.6/5.0 **Total Reviews:** 39 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.6/10 (Category avg: 8.5/10) - **Ease of Use:** 8.1/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [CodeScene AB](https://www.g2.com/sellers/codescene-ab) - **Company Website:** https://www.codescene.com - **Year Founded:** 2015 - **HQ Location:** Malmö, SE - **Twitter:** @codescene (1,228 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/codescene/ (33 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 41% Mid-Market, 36% Small-Business #### Pros & Cons **Pros:** - Features (8 reviews) - Issue Identification (7 reviews) - Code Quality (6 reviews) - Customer Support (5 reviews) - Improvement (5 reviews) **Cons:** - Integration Issues (4 reviews) - Difficult Learning (3 reviews) - Difficulty for Beginners (3 reviews) - Learning Difficulty (3 reviews) - Difficult Configuration (2 reviews) ### 7. [OpenText Static Application Security Testing](https://www.g2.com/products/opentext-static-application-security-testing/reviews) OpenText™ Static Application Security Testing (SAST) is a comprehensive solution designed to identify and remediate security vulnerabilities within an application's source code during the early stages of development. By analyzing code from the "inside out," SAST provides immediate feedback to developers, enabling them to address security issues promptly and effectively. Key Features and Functionality: - Extensive Language Support: Supports over 33 programming languages and more than 1,400 vulnerability categories, ensuring broad applicability across various development environments. - Integration with Development Tools: Seamlessly integrates with popular Integrated Development Environments (IDEs) such as Eclipse, Visual Studio, and JetBrains, as well as Continuous Integration/Continuous Deployment (CI/CD) tools like Jenkins and Bamboo, facilitating a smooth incorporation into existing workflows. - Scalable Deployment Options: Offers flexible deployment models, including on-premises, cloud-based, and Software as a Service (SaaS) solutions, allowing organizations to choose the setup that best fits their needs. - Advanced Analysis Capabilities: Utilizes multiple algorithms and an expansive knowledge base of secure coding rules to perform thorough code analysis, pinpointing the root causes of vulnerabilities and providing detailed remediation guidance. Primary Value and Problem Solved: OpenText SAST empowers organizations to proactively manage application security by detecting and addressing vulnerabilities early in the Software Development Life Cycle (SDLC). This proactive approach reduces the risk of security breaches, minimizes the cost and effort associated with late-stage remediation, and enhances the overall security posture of applications. By integrating security testing into the development process, OpenText SAST helps developers create more secure code, leading to robust and reliable software products. **Average Rating:** 4.5/5.0 **Total Reviews:** 21 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.5/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.1/10 (Category avg: 8.5/10) - **Ease of Use:** 8.7/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [OpenText](https://www.g2.com/sellers/opentext) - **Year Founded:** 1991 - **HQ Location:** Waterloo, ON - **Twitter:** @OpenText (21,588 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2709/ (23,339 employees on LinkedIn®) - **Ownership:** NASDAQ:OTEX **Reviewer Demographics:** - **Top Industries:** Banking, Financial Services - **Company Size:** 50% Enterprise, 29% Small-Business #### Pros & Cons **Pros:** - Easy Integrations (1 reviews) - Integrations (1 reviews) - Integration Support (1 reviews) **Cons:** - False Positives (1 reviews) ### 8. [Kiuwan Code Security & Insights](https://www.g2.com/products/kiuwan-code-security-insights/reviews) Fast, Flexible Code Security! Kiuwan is a robust, end-to-end application security platform that integrates seamlessly into your development process. Our toolset includes Static Application Security Testing (SAST), Software Composition Analysis (SCA), Software Governance and Code Quality, empowering your team to quickly identify and remediate vulnerabilities. By integrating seamlessly into your CI/CD pipeline, Kiuwan enables early detection and remediation of security issues. Kiuwan supports strict compliance with industry standards including OWASP, CWE, MISRA, NIST, PCI DSS, and CERT, among others. Top features: ✅ Extensive language support: Over 30 programming languages. ✅ Detailed action plans: Prioritize remediation with tailored action plans. ✅ Code Security: Seamless Static Application Security Testing (SAST) integration. ✅ Insights: On-demand or continuous scanning Software Composition Analysis (SCA) to help reduce third-party threats. ✅ One-click Software Bill of Materials (SBOM) generation. Kiuwan is now part of Sembi - a global portfolio of market-leading software brands focused on software quality, security, and developer productivity. Code Smarter. Secure Faster. Ship Sooner **Average Rating:** 4.5/5.0 **Total Reviews:** 29 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.9/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.7/10 (Category avg: 8.5/10) - **Ease of Use:** 8.5/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Kiuwan](https://www.g2.com/sellers/kiuwan) - **Year Founded:** 2012 - **HQ Location:** Houston, TX - **Twitter:** @Kiuwan (3,355 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/981904/ (26 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Banking - **Company Size:** 41% Enterprise, 35% Mid-Market #### Pros & Cons **Pros:** - Accuracy (2 reviews) - Accuracy of Findings (2 reviews) - Customer Support (2 reviews) - Ease of Use (2 reviews) - Automation Testing (1 reviews) ### 9. [Cyclopt Companion](https://www.g2.com/products/cyclopt-companion/reviews) Cyclopt Companion is a sophisticated software solution designed to assist developers in writing better, more secure, and maintainable code. Whether you are a junior developer, a seasoned freelancer, a full-stack engineer, or a QA lead, Cyclopt Companion provides the tools necessary to validate every line of code before deployment. This product aims to reduce technical debt and enhance the overall quality of software development, ensuring that users can deliver reliable applications with confidence. The Cyclopt Companion stands out in the realm of code quality evaluation by employing the ISO 25010:2023 methodology. This framework allows for a comprehensive assessment of maintainability, security, and code quality. By analyzing critical factors such as complexity, coupling, cohesion, and documentation, Cyclopt Companion offers a data-driven approach to identifying potential vulnerabilities and coding violations. This is particularly valuable in an era where AI tools can generate code rapidly, but may inadvertently introduce risks and technical debt. One of the key features of Cyclopt Companion is its ability to provide instant insights into your codebase. Upon each commit, users receive an updated status report that highlights significant issues, including coding violations, vulnerabilities, code duplication, and maintainability concerns. This proactive approach enables developers to address problems early in the development cycle, ultimately leading to higher quality code and a more efficient workflow. Additionally, Cyclopt Profile allows developers to showcase their skills and track their growth across eight distinct categories. By performing a deep analysis of individual developer characteristics, users can create and share a personalized profile page that highlights their unique software development capabilities. As developers progress and improve their skills, they can earn badges, providing a tangible representation of their achievements. Cyclopt Companion is designed to integrate seamlessly with existing development tools, ensuring that teams can continue their workflows without disruption. It supports popular platforms such as GitHub, GitLab, Bitbucket, and Azure DevOps, as well as communication tools like Slack, Teams, and Discord. This flexibility makes it an ideal choice for engineering teams, DevOps professionals, and software leaders who prioritize reliability, transparency, and continuous improvement in their codebases. By streamlining development processes and enhancing code quality, Cyclopt Companion empowers users to ship secure software faster. **Average Rating:** 4.6/5.0 **Total Reviews:** 13 **User Satisfaction Scores:** - **Ease of Use:** 8.5/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Cyclopt](https://www.g2.com/sellers/cyclopt) - **Company Website:** https://www.cyclopt.com/ - **Year Founded:** 2017 - **HQ Location:** Pylaia, GR - **LinkedIn® Page:** https://www.linkedin.com/company/cyclopt (11 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 100% Small-Business #### Pros & Cons **Pros:** - Features (4 reviews) - Security (4 reviews) - Code Quality (3 reviews) - Issue Identification (3 reviews) - Alert Notifications (2 reviews) **Cons:** - Difficult Learning (3 reviews) - Learning Difficulty (2 reviews) - Difficult Navigation (1 reviews) - Difficulty for Beginners (1 reviews) - Metrics Issues (1 reviews) ### 10. [ZeroPath](https://www.g2.com/products/zeropath/reviews) ZeroPath (YC S24) is the first AI-native application security platform that fundamentally reimagines how organizations find and fix vulnerabilities. Unlike deterministic SAST tools that bolt AI onto legacy rule engines, ZeroPath was built from the ground up to combine large language models with advanced program analysis (AST, data flow, taint tracking) by Ex-Tesla Red Team and Google Security engineers. ZeroPath's core differentiation is detecting critical vulnerabilities that pattern-matching SAST fundamentally cannot find. It catches IDORs, authorization bypasses, race conditions, and authentication bugs by reasoning about application behavior and developer intent. This capability achieved a 92% alert reduction when triaging findings from legacy tools. ZeroPath is best suited for enterprises and startups that want a complete appsec experience with: AI-powered SAST across 16+ languages, SCA with exploitability analysis (90% noise reduction by determining if dependency CVEs are actually reachable in your code), secrets detection with validation, IaC scanning for Terraform/CloudFormation/Kubernetes, and natural language security policies. Context-aware autopatch generation fixes 70% of vulnerabilities automatically with framework-specific patches that match your coding standards. To keep the developer experience seamless, ZeroPath integrates into existing workflows with zero configuration. It provides Sub-60-second PR scans on GitHub, GitLab, Bitbucket, and Azure DevOps to provide instant security feedback without blocking development. Developers receive clear explanations, one-click fixes, and can refine patches using natural language commands directly in PR comments. The platform automatically attributes vulnerabilities to responsible developers and syncs bidirectionally with Jira, Linear, and more. Overall, less noise, along with the breadth of integrations, has already made security teams faster in triaging and finding real vulnerabilities. Having been security engineers ourselves, we also understand how important visibility is for the evaluations. ZeroPath users get executive dashboards with real-time MTTR tracking, automated compliance reporting for SOC2 and ISO27001, and risk-based prioritization using CVSS 4.0 scoring. The platform provides complete visibility across organizational repositories, including security models, authentication patterns, and filtering logic, without manual configuration. Our research team dogfeeds our own technology and has discovered CVE-2025-61928 (critical account takeover in better-auth with 300k+ weekly downloads), identified 170+ verified bugs in curl, found 7 vulnerabilities in django-allauth enabling account impersonation, and discovered 0-days in production systems at Netflix, Hulu, and Salesforce. Currently trusted by 750+ companies running 200k+ scans monthly, ZeroPath delivers what security-conscious engineering teams need: more real vulnerabilities, dramatically less noise, and automated fixes that actually work. **Average Rating:** 4.5/5.0 **Total Reviews:** 11 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 10.0/10 (Category avg: 8.7/10) - **Ease of Admin:** 9.4/10 (Category avg: 8.5/10) - **Ease of Use:** 8.5/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 0/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [ZeroPath](https://www.g2.com/sellers/zeropath) - **Company Website:** https://zeropath.com - **Year Founded:** 2024 - **HQ Location:** San Francisco, US - **LinkedIn® Page:** https://www.linkedin.com/company/zeropathai/ (9 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 36% Small-Business, 27% Mid-Market #### Pros & Cons **Pros:** - Accuracy (6 reviews) - Accuracy of Findings (6 reviews) - Security (6 reviews) - Vulnerability Detection (5 reviews) - Vulnerability Identification (4 reviews) **Cons:** - Bug Issues (2 reviews) - Bugs (2 reviews) - Software Bugs (2 reviews) - Cost Issues (1 reviews) - Dashboard Issues (1 reviews) ### 11. [CAST Imaging](https://www.g2.com/products/cast-imaging/reviews) CAST Imaging helps software architects and AI agents understand, change, and modernize applications. It automatically reverse-engineers all database structures, code components, and interdependencies in any custom-built applications. It provides interactive and accurate architecture blueprints, zoomable to the tiniest details. as well as data call graphs and end-to-end transaction views. All this in a lightweight web UI with the ability for teams to collaborate by adding their own knowledge and sharing insights. A built-in MCP server streams this precise application architectural context to AI agents which can generate consistent, accurate, and safe code changes. Businesses move faster using CAST technology to understand, improve, and transform their software. Through semantic analysis of source code, CAST produces 3D maps and dashboards to navigate inside individual applications and across entire portfolios. This intelligence empowers executives and technology leaders to steer, speed, and report on initiatives such as technical debt, GenAI, modernization, and cloud. As the pioneer of the software intelligence field, CAST is trusted by the world’s leading companies and governments, their consultancies and cloud providers. See it all at castsoftware.com. **Average Rating:** 4.6/5.0 **Total Reviews:** 34 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.4/10 (Category avg: 8.7/10) - **Ease of Admin:** 7.5/10 (Category avg: 8.5/10) - **Ease of Use:** 8.1/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [CAST](https://www.g2.com/sellers/cast) - **Company Website:** https://www.castsoftware.com - **Year Founded:** 1990 - **HQ Location:** New York - **Twitter:** @SW_Intelligence (1,893 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,259 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Financial Services - **Company Size:** 53% Enterprise, 29% Small-Business ### 12. [Checkmarx](https://www.g2.com/products/checkmarx/reviews) Checkmarx is the leader in application security for the AI era, delivering enterprise-grade protection that lowers engineering costs and accelerates development velocity. As AI accelerates software creation beyond human speed and scale, Checkmarx ensures security keeps pace, embedding intelligent, autonomous protection directly into how applications are built. The Checkmarx One platform scans trillions of lines of code each year across every industry, cutting vulnerability density by more than half based on aggregated customer data. Its unified architecture spans code, open-source dependencies, AI assets, and runtime environments, providing full visibility and governance across the entire software and AI supply chain. Autonomous security agents detect and counter AI-driven threats across the SDLC, delivering prevention-first protection for legacy, modern, and AI-generated code at enterprise scale. Key capabilities include AI SAST, DAST for AI, AI Supply Chain Security, Software Composition Analysis (SCA), and Application Security Posture Management (ASPM). The Checkmarx Assist family - Developer Assist, Triage Assist, and Remediation Assist - embeds security intelligence across the development lifecycle, prioritizes real-world risk, and generates review-ready fixes before vulnerabilities reach production. Checkmarx shifts application security from reactive review to continuous, intelligent governance, helping enterprises close the risk gap without slowing innovation, whether securing legacy systems, cloud-native environments, or AI-powered applications. **Average Rating:** 4.2/5.0 **Total Reviews:** 32 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 8.7/10) - **Ease of Admin:** 7.9/10 (Category avg: 8.5/10) - **Ease of Use:** 8.2/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Checkmarx](https://www.g2.com/sellers/checkmarx) - **Company Website:** https://www.checkmarx.com - **Year Founded:** 2006 - **HQ Location:** Paramus, NJ - **Twitter:** @Checkmarx (7,263 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/checkmarx (997 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 58% Enterprise, 25% Mid-Market #### Pros & Cons **Pros:** - Implementation Ease (2 reviews) - User Interface (2 reviews) - Accuracy of Results (1 reviews) - Automation Testing (1 reviews) - Customer Support (1 reviews) **Cons:** - False Positives (1 reviews) - Lacking Features (1 reviews) - Missing Features (1 reviews) - Poor Navigation (1 reviews) ### 13. [ReSharper C++](https://www.g2.com/products/resharper-c/reviews) ReSharper C++ is a productivity extension for developing in C and C++ that fully integrates with Microsoft Visual Studio. It helps developers create efficient and correct code in modern C++ by providing safe refactorings, fast navigation, and code analysis for the trickiest aspects of the language. It also offers support for HLSL shaders, the C++/CLI specifications, and Unreal Engine code. **Average Rating:** 4.6/5.0 **Total Reviews:** 19 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 8.7/10) - **Ease of Admin:** 7.5/10 (Category avg: 8.5/10) - **Ease of Use:** 9.6/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 3.3/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [JetBrains](https://www.g2.com/sellers/jetbrains) - **Year Founded:** 2000 - **HQ Location:** Prague - **Twitter:** @jetbrains (211,202 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/12515/ (2,731 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 53% Small-Business, 37% Enterprise ### 14. [Codacy](https://www.g2.com/products/codacy/reviews) Codacy is the only DevSecOps platform that delivers plug-and-play code health and security scanning for AI and human generated code. Future-proof your software – from source code to runtime – without extra servers or build steps. Deploy within minutes and stay ahead of emerging risks today. BUILT FOR HUMANS, READY FOR AI Seamless Git and IDE integrations make Codacy a daily coach your devs can trust, not just another browser tab. AI-generated code is no exception – leaving up to 50% of your codebase exposed to a new wave of zero-days. Empower your devs to use Copilot and Cursor with confidence, not concern. CODE HEALTH & SECURITY FOR ANY STACK While healthy coding standards make your apps and infra run smoothly, Codacy equips your devs with the largest AppSec suite on the market – SAST, hardcoded secrets, dependency checks, SBOM, license scanning, DAST, and pentesting – safeguarding your business every step of the way. PIPELINE-LESS CODE AND RUNTIME SCANS Codacy scans run entirely in the cloud, eliminating the need for servers or build steps. A simple one-click webhook integration gets every commit and Pull Request scanned on the fly, across 49 languages and frameworks – ready for codebases of any size and flavor, and SOC 2 Type 2 certified. **Average Rating:** 4.6/5.0 **Total Reviews:** 28 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.1/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.9/10 (Category avg: 8.5/10) - **Ease of Use:** 9.2/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Codacy](https://www.g2.com/sellers/codacy) - **Year Founded:** 2012 - **HQ Location:** Lisbon, Lisboa - **Twitter:** @codacy (5,027 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/3310124/ (72 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 61% Small-Business, 21% Mid-Market #### Pros & Cons **Pros:** - Security (2 reviews) - Automation (1 reviews) - Automation Testing (1 reviews) - Code Quality (1 reviews) - Customer Support (1 reviews) **Cons:** - Expensive (1 reviews) ### 15. [Closure Compiler](https://www.g2.com/products/closure-compiler/reviews) The Closure Compiler is a tool for making JavaScript download and run faster. Instead of compiling from a source language to machine code, it compiles from JavaScript to better JavaScript. **Average Rating:** 3.9/5.0 **Total Reviews:** 13 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 8.7/10) - **Ease of Admin:** 10.0/10 (Category avg: 8.5/10) - **Ease of Use:** 8.2/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Google](https://www.g2.com/sellers/google) - **Year Founded:** 1998 - **HQ Location:** Mountain View, CA - **Twitter:** @google (31,885,216 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/1441/ (336,169 employees on LinkedIn®) - **Ownership:** NASDAQ:GOOG **Reviewer Demographics:** - **Company Size:** 46% Small-Business, 38% Mid-Market ### 16. [ReSharper](https://www.g2.com/products/resharper/reviews) ReSharper is a renowned productivity tool that turns Microsoft Visual Studio into a much better IDE. Both individual .NET developers and teams rely on ReSharper to write and maintain code in a more manageable and enjoyable way, adopt the best coding practices, and deliver higher quality applications faster. **Average Rating:** 4.5/5.0 **Total Reviews:** 83 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.5/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.1/10 (Category avg: 8.5/10) - **Ease of Use:** 8.8/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [JetBrains](https://www.g2.com/sellers/jetbrains) - **Year Founded:** 2000 - **HQ Location:** Prague - **Twitter:** @jetbrains (211,202 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/12515/ (2,731 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer, Software Developer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 38% Mid-Market, 38% Small-Business ### 17. [Coverity](https://www.g2.com/products/coverity/reviews) Coverity® is a fast, accurate, and highly scalable static analysis (SAST) solution that helps development and security teams address security and quality defects early in the software development life cycle (SDLC), track and manage risks across the application portfolio, and ensure compliance with security and coding standards. **Average Rating:** 4.2/5.0 **Total Reviews:** 55 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.1/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.2/10 (Category avg: 8.5/10) - **Ease of Use:** 8.4/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Synopsys](https://www.g2.com/sellers/synopsys-53e76f66-bf39-4c28-b0f2-97178ec8ddfd) - **Year Founded:** 1986 - **HQ Location:** Mountain View, CA - **Twitter:** @synopsys (24,249 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2457/ (28,121 employees on LinkedIn®) - **Ownership:** NASDAQ:SNPS **Reviewer Demographics:** - **Who Uses This:** Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 65% Enterprise, 27% Mid-Market ### 18. [OpsPilot](https://www.g2.com/products/opspilot/reviews) OpsPilot is an AI-powered observability and operational intelligence platform that helps engineering and operations teams move from reactive monitoring to proactive, autonomous operations. Modern production systems — microservices, distributed architectures, cloud and hybrid environments — generate enormous volumes of telemetry. Traditional monitoring tools surface that data, but still leave engineers responsible for interpreting signals, identifying root causes, and deciding what to do. OpsPilot closes that gap. It continuously analyzes telemetry across your applications, infrastructure, and services, then tells your team what is happening, why it is happening, and what to do about it. From monitoring to operational intelligence OpsPilot goes beyond dashboards and alerts. It correlates signals across metrics, logs, traces, and deployment events to identify abnormal behaviour, explain root causes, and guide teams toward faster resolution — dramatically reducing the time spent on incident investigation and operational troubleshooting. AI SRE teammate OpsPilot is designed to act as an AI SRE teammate — augmenting your operations team by answering the questions engineers face during incidents: What changed? Where is the failure occurring? Which service is responsible? What should we investigate next? Three core capabilities - Observability — collects and correlates telemetry across metrics, logs, traces, JVM data, and application-level diagnostics for a complete picture of system behaviour. - Operational Intelligence — applies AI-driven analysis to surface what changed, what is causing the issue, which components are involved, and what actions may resolve it. - Action and Automation — supports guided incident response, runbook generation, automated remediation, and continuous operational learning. OpenTelemetry-native OpsPilot ingests telemetry via OTLP over gRPC or HTTP — no proprietary agent required. It works with your existing OpenTelemetry instrumentation across Kubernetes, microservices, cloud services, and serverless platforms. Prometheus-compatible metrics, Loki log ingestion, and Jaeger/Zipkin trace formats are also supported. For teams needing deep JVM or ColdFusion diagnostics, the optional FusionReactor APM agent provides additional application-level telemetry. Built for DevOps, SRE, and platform engineering teams OpsPilot is designed for organizations running modern production systems that require high reliability and operational efficiency — particularly teams moving toward SRE or platform engineering models who need deeper operational insight without increasing headcount. Deployed as SaaS, hybrid, or agentless via OpenTelemetry. **Average Rating:** 4.8/5.0 **Total Reviews:** 174 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.5/10 (Category avg: 8.7/10) - **Ease of Admin:** 9.0/10 (Category avg: 8.5/10) - **Ease of Use:** 8.8/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Intergral](https://www.g2.com/sellers/intergral) - **Company Website:** https://www.fusion-reactor.com/ - **Year Founded:** 1998 - **HQ Location:** Boeblingen, DE - **Twitter:** @Fusion_Reactor (9,373 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/showcase/fusionreactor/ (1 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CTO, Developer - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 61% Small-Business, 29% Mid-Market #### Pros & Cons **Pros:** - Monitoring (25 reviews) - Real-time Monitoring (23 reviews) - Ease of Use (17 reviews) - Performance (15 reviews) - Troubleshooting (15 reviews) **Cons:** - Learning Curve (8 reviews) - Expensive (6 reviews) - Learning Difficulty (5 reviews) - UX Improvement (5 reviews) - Data Limitations (4 reviews) ### 19. [Babel](https://www.g2.com/products/babel/reviews) Babel is a JavaScript compiler. It helps shape the future of the JavaScript language itself. **Average Rating:** 4.5/5.0 **Total Reviews:** 20 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.0/10 (Category avg: 8.5/10) - **Ease of Use:** 8.8/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 3.3/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [BABEL](https://www.g2.com/sellers/babel) - **Year Founded:** 2012 - **HQ Location:** Paris, FR - **LinkedIn® Page:** https://www.linkedin.com/company/3222552/ (122 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 48% Mid-Market, 43% Small-Business ### 20. [Mend.io](https://www.g2.com/products/mend-io/reviews) Mend.io is the leading application security solution, helping organizations reduce application risk efficiently. Built for modern, AI-driven, and traditional development environments alike, Mend.io prioritizes what matters most, so teams fix less, reduce risk faster, and deliver software with confidence. **Average Rating:** 4.3/5.0 **Total Reviews:** 105 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.2/10 (Category avg: 8.5/10) - **Ease of Use:** 8.3/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Mend](https://www.g2.com/sellers/mend-ab79a83a-6747-4682-8072-a3c176489d0b) - **Company Website:** https://mend.io - **Year Founded:** 2011 - **HQ Location:** Boston, Massachusetts - **Twitter:** @Mend_io (11,311 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2440656/ (263 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 38% Small-Business, 34% Mid-Market #### Pros & Cons **Pros:** - Scanning Efficiency (8 reviews) - Ease of Use (7 reviews) - Easy Integrations (6 reviews) - Scanning Technology (6 reviews) - Vulnerability Detection (6 reviews) **Cons:** - Integration Issues (6 reviews) - Limited Features (3 reviews) - Missing Features (3 reviews) - Complex Implementation (2 reviews) - Confusing Interface (2 reviews) ### 21. [OpenText Core Application Security](https://www.g2.com/products/opentext-core-application-security/reviews) Fortify on Demand (FoD) is a complete Application Security as a Service solution. It offers an easy way to get started with the flexibility to scale. In addition to static and dynamic, Fortify on Demand covers in-depth mobile app security testing, open-source analysis, and vendor application security management. False positives are removed for every test and test results can be manually reviewed by application security experts. **Average Rating:** 4.1/5.0 **Total Reviews:** 34 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.0/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.9/10 (Category avg: 8.5/10) - **Ease of Use:** 8.2/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [OpenText](https://www.g2.com/sellers/opentext) - **Year Founded:** 1991 - **HQ Location:** Waterloo, ON - **Twitter:** @OpenText (21,588 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2709/ (23,339 employees on LinkedIn®) - **Ownership:** NASDAQ:OTEX **Reviewer Demographics:** - **Top Industries:** Information Technology and Services - **Company Size:** 41% Enterprise, 32% Small-Business ### 22. [Semmle](https://www.g2.com/products/semmle/reviews) Semmle makes the management of software development easier than ever before. By giving you complete visibility \_ for every project, location, team, developer, timeframe and cost \_ Semmle is engineering intelligence at its most advanced. **Average Rating:** 4.4/5.0 **Total Reviews:** 75 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.3/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.8/10 (Category avg: 8.5/10) - **Ease of Use:** 8.6/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Semmle](https://www.g2.com/sellers/semmle) - **Year Founded:** 2006 - **HQ Location:** San Francisco, California - **Twitter:** @SemmleInc (1 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/458015/ (2 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 54% Small-Business, 36% Mid-Market ### 23. [Klocwork](https://www.g2.com/products/klocwork/reviews) Perforce Klocwork is an enterprise grade SAST solution for C, C++, C#, Rust (support coming March 2026), Java, JavaScript, Python, and Kotlin. It helps development teams detect security vulnerabilities, quality issues, and reliability defects early, while supporting compliance with industry and regulatory standards. Klocwork is purpose built to analyze very large, complex codebases and scales to hundreds of millions of lines of code, well beyond the practical limits of many traditional SAST tools. This makes it especially suited for organizations developing long lived, safety critical, or security critical systems. Designed for DevOps and DevSecOps, Klocwork integrates with complex build systems, CI/CD pipelines, cloud and containerized environments, and common developer tools—enabling consistent security and quality enforcement without slowing development. Static Application Security Testing (SAST) Klocwork identifies a wide range of security vulnerabilities, including SQL injection, tainted data flows, buffer overflows, and other insecure coding practices. It also detects bugs and quality issues such as null pointer dereferences, memory and resource leaks, uncaught exceptions, and code smells. The solution supports compliance with internationally recognized standards including CWE, OWASP, CERT, PCI DSS, DISA STIG, and ISO/IEC TS 17961. Automated CI/CD integrations make continuous security testing practical even for very large systems. AI Assisted Code Remediation with MCP Klocwork extends static analysis with AI assisted code remediation, designed to help developers resolve findings faster and with greater confidence. Using MCP based capabilities, Klocwork securely exposes rich static analysis context—defect data, rule knowledge, and precise fix guidance—to supported AI code assist tools directly within the IDE. Rather than relying on generic AI suggestions, Klocwork’s remediation feature combines deep static analysis insights with comprehensive documentation and exact fix instructions, enabling AI assistants to propose accurate, context aware corrections for security vulnerabilities, quality defects, and coding standard violations. Fixes are presented as clear diffs and require developer review and approval, making the approach suitable for safety and security critical environments. By integrating remediation into the developer workflow, Klocwork reduces time spent interpreting analysis results, researching fixes, and switching between tools. Developers stay in their IDE, receive guided remediation aligned with secure coding standards and project specific rules, and can immediately re analyze code to validate fixes. This completes the optimal shift left approach—helping teams not only find issues early, but fix them efficiently and consistently. Project Streams and Enterprise Scalability Klocwork’s Project Streams feature simplifies managing shared codebases with multiple variants or branches. A single rule configuration can be applied across streams, issues common to multiple variants stay synchronized, and stream specific findings are clearly identified for reporting and compliance. Developer Focused and Centralized Klocwork integrates directly into popular IDEs to deliver fast, contextual feedback as developers write code. Out of the box compiler support eliminates manual setup, while centralized dashboards provide visibility into trends, risk, and compliance across projects of any size. **Average Rating:** 4.4/5.0 **Total Reviews:** 22 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.1/10 (Category avg: 8.7/10) - **Ease of Admin:** 7.3/10 (Category avg: 8.5/10) - **Ease of Use:** 7.9/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [Perforce](https://www.g2.com/sellers/perforce) - **Year Founded:** 1995 - **HQ Location:** Minneapolis, MN - **Twitter:** @perforce (5,092 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/perforce/ (2,032 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services - **Company Size:** 48% Mid-Market, 35% Small-Business ### 24. [Veracode Application Security Platform](https://www.g2.com/products/veracode-application-security-platform/reviews) Veracode helps companies that innovate through software deliver secure code on time. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline,empower developers to fix security defects, and scales your program through best practices to achieve your desired outcomes. Veracode covers your all your AppSec needs in one solution through a combination of five analysis types available for 24 programming languages, 77 frameworks, and application types as varied as microservices, mainframe and mobile apps. **Average Rating:** 3.8/5.0 **Total Reviews:** 24 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 7.9/10 (Category avg: 8.7/10) - **Ease of Admin:** 7.4/10 (Category avg: 8.5/10) - **Ease of Use:** 7.3/10 (Category avg: 8.7/10) - **What is your organization's estimated ROI on the product (payback period in months)?:** 10/10 (Category avg: 10/10) **Seller Details:** - **Seller:** [VERACODE](https://www.g2.com/sellers/veracode) - **Year Founded:** 2006 - **HQ Location:** Burlington, MA - **Twitter:** @Veracode (21,994 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/27845/ (515 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services - **Company Size:** 72% Enterprise, 28% Mid-Market #### Pros & Cons **Pros:** - Security (2 reviews) - Vulnerability Detection (2 reviews) - Accuracy of Results (1 reviews) - Automated Scanning (1 reviews) - Code Quality (1 reviews) **Cons:** - Expensive (1 reviews) - Licensing Issues (1 reviews) - Pricing Issues (1 reviews) ### 25. [Parasoft Jtest](https://www.g2.com/products/parasoft-jtest/reviews) Parasoft Jtest is an integrated Java testing tool for Application Software Development. Develop high-quality code within an Agile workflow. Jtest’s comprehensive set of Java testing tools ensures high code coverage through every stage of software development. Parasoft Jtest integrates tightly into your development ecosystem and CI/CD pipeline for real-time, intelligent feedback on your testing and compliance progress. Jtest highlights code coverage and code quality, leverages AI for JUnit test creation, and identifies security and reliability issues so stakeholders can understand the quality of the deliverables and make informed decisions about risk of release. **Average Rating:** 4.6/5.0 **Total Reviews:** 13 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.2/10 (Category avg: 8.7/10) - **Ease of Admin:** 8.8/10 (Category avg: 8.5/10) - **Ease of Use:** 9.1/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Parasoft](https://www.g2.com/sellers/parasoft) - **Year Founded:** 1987 - **HQ Location:** Monrovia, CA - **Twitter:** @Parasoft (2,598 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/parasoft/ (303 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software - **Company Size:** 38% Enterprise, 31% Mid-Market ## Parent Category [DevSecOps Software](https://www.g2.com/categories/devsecops) ## Related Categories - [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast) - [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis) - [Secure Code Review Software](https://www.g2.com/categories/secure-code-review) --- ## Buyer Guide ### What You Should Know About Static Code Analysis Software ### What is Static Code Analysis Software? Static code analysis is a debugging and quality assurance method that inspects a computer program’s code without executing the program. Static code analysis software scans code to identify security vulnerabilities, catch bugs, and ensure the code adheres to industry standards. These tools help software developers automate the core aspects of program comprehension. Rather than manually combing through lines of code with visual inspection alone, developers and programmers can rely on static code analysis software’s automatic scans and alerts to gain deeper insight into their code. This automation decreases software developers overall workload and frees up resources by streamlining the debugging and quality assurance process. Static code analysis software serves as an automated standardization check in many different development environments. A common concern among development teams is code readability—if developer A writes a chunk of code which is passed to developer B, that code must be comprehensible and easy to digest. Constantly checking code against the industry standard or even custom best practices, static code analysis software helps software developers keep their code consistent to improve team collaboration. Ideally, static code analysis software does more than save developers time, it greatly enhances the quality of their debugging processes. Manual code inspection is both time-consuming and subject to human error. Oftentimes, developers don’t find bugs until they manifest themselves post-deployment. Static code analysis software helps find and alert developers to the existence of bugs months before they can manifest in a deployed application. Static code analysis software ensures cleaner, higher-quality releases by minimizing bugs and errors, enhancing cybersecurity, and promoting coding best practices. Key Benefits of Static Code Analysis Software - Fewer undetected bugs upon deployment - Save software developers time and resources - Minimize human error - Facilitate best industry or custom practices - Promote DevOps security by ensuring more secure applications ### Why Use Static Code Analysis Software? **Reduced workload —** Since static code analysis software runs automated scans, developers are free to spend more time working on new code and less time combing through existing code. Static code analysis automatically hunts down and alerts users to bad code. This means that software developers don’t have to spend time and resources manually combing through lines and lines of code. **Thorough debugging —** Software developers are all too familiar with bugs that don’t show themselves known until months, or even years after an application’s release. Often, finding bugs via manual code inspection relies on running the code and hoping an error reveals itself during quality assurance testing. However, with static code analysis software, developers can find and resolve bugs that would otherwise have been hidden in the code allowing for cleaner deployments and less issues down the line. **Standardized best practices —** Beyond debugging, static code analysis software checks code against industry standard benchmarks for best practices. This standardized regulation keeps teams on the same page by ensuring that everyone’s code is clear and optimized. Additionally, some software allows users to customize best practices to fit the specifications of their company or department. **Better security —** Static code analysis software is often capable of finding and alerting developers of security vulnerabilities in their code. Developers can prioritize cybersecurity thanks to static code analysis. ### What are the Common Features of Static Code Analysis Software? **Integrated development environment (IDE) integration —** Most static code analysis software integrates with developers’ IDEs to provide a seamless solution within a pre-existing development environment. This integration means developers can continuously scan their code without interrupting their workflow. **Timely alerts —** Because static code analysis software can scan code for bugs and vulnerabilities in a matter of seconds, developers receive timely alerts that help them enhance work efficiency. These timely alerts also help users react appropriately to bugs early on, saving them time and stress later. **Recommendations —** Beyond alerting developers to code issues, static code analysis software generates actionable recommendations based on different errors or vulnerabilities that are detected. These suggestions give developer a starting point to resolve various problems, which saves time and mental energy. Static Code Analysis Tools for Programming Languages and Features: [C#](https://www.g2.com/categories/static-code-analysis/f/c), [C/C++](https://www.g2.com/categories/static-code-analysis/f/c-c), [Java](https://www.g2.com/categories/static-code-analysis/f/java), [.NET](https://www.g2.com/categories/static-code-analysis/f/net), [PHP](https://www.g2.com/categories/static-code-analysis/f/php), [Python](https://www.g2.com/categories/static-code-analysis/f/python), [Ruby](https://www.g2.com/categories/static-code-analysis/f/ruby), [Salesforce](https://www.g2.com/categories/static-code-analysis/f/salesforce) ### Trends Related to Static Code Analysis Software **DevOps —** DevOps refers to the marriage of development and IT operations management to make unified software development pipelines. Teams have implemented DevOps best practices to build, test, and release software. Static code analysis software’s seamless integration with IDE’s means it fits right in with any DevOps cycle. **Cybersecurity —** Calls for standardized cybersecurity best practices as part of DevOps philosophy, often referred to as DevSecOps, have shifted the onus of responsibility for secure applications onto developers. Static code analysis software’s vulnerability detection functionality plays a necessary role in establishing secure DevOps practices. ### Software and Services Related to Static Code Analysis Software [**Vulnerability scanner software**](https://www.g2.com/categories/vulnerability-scanner) **—** Vulnerability scanners constantly monitor applications and networks to identify security vulnerabilities. While static code analysis software often has the functionality to find vulnerabilities at the code level, vulnerability scanners are usually more robust. These tools scan full applications and networks then test them against known vulnerabilities. All of these functions help enhance cybersecurity. [**Dynamic application security testing (DAST) software**](https://www.g2.com/categories/dynamic-application-security-testing-dast) **—** Dynamic application security testing (DAST) tools automate security tests for a variety of real-world threats. These tools run applications against simulated attacks and other cybersecurity scenarios using black-box testing, or testing performed outside of an application, as opposed to in-app solutions like static code analysis. [**Software composition analysis (SCA) software**](https://www.g2.com/categories/software-composition-analysis) **—** Software composition analysis (SCA) software enables users to manage open-source and third-party components of their applications. SCA software scans an application’s components to verify licensing and compliance, assess vulnerabilities, and check for version updates. These tools serve as an essential component for any secure DevOps repertoire in addition to static code analysis software and other cybersecurity solutions.