SAST Tools

Brakeman is a free vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

Semgrep is a great and lightweight open-source code scanner. It works in more than 20 languages with +1500 community rules.

Fortify SAST supports 27+ major languages and their frameworks and comes with flexible deployment options. It is available on-premises, as a service, or in hybrid mode to fit your business needs.

Bandit is the most popular open-source source code analysis tool for Python. It processes each file and build an AST from it and run appropriate plugins against these AST nodes.

GitGuardian is an excellent "Secret Detection" solution that comes free for small teams of up to 25 developers. You can integrate your source code (Bitbucket, GitHub, GitHub Enterprise, GitLab) and monitor for API keys, OAuth tokens, certificates, PEM files, passwords, passphrases and API keys with GitGuardian

Klocwork is the popular SAST tool for C, C++, C#, Java, JavaScript, and Python. It has support for command-line interfaces, and a REST API to generate defect data in XML, JSON, and PDF formats.

SonarQube is an open-source solution with an Enterprise edition option. The community edition (open-source) has support for 17 languages and it gets more starting with the Developer edition.

Checkmarx offers a comprehensive software security platform that unifies with DevOps and provides static and interactive application security testing, Source Code Analysis and developer AppSec training to reduce and remediate risk from software vulnerabilities.

Veracode is a modular, cloud-based solution for application security, combining five different types of security analysis in a single platform; dynamic analysis (DAST), interactive analysis (IAST), static analysis (SAST), software composition analysis (SCA), and penetration testing.