sast
There are 235 repositories under sast topic.
analysis-tools-dev/static-analysis
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
semgrep/semgrep
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
tenable/terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
ajinabraham/nodejsscan
nodejsscan is a static security code scanner for Node.js applications.
Bearer/bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
ASTTeam/CodeQL
《深入理解CodeQL》Finding vulnerabilities with CodeQL.
ZupIT/horusec
Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
momosecurity/momo-code-sec-inspector-java
IDEA静态代码安全审计及漏洞一键修复插件
tcosolutions/betterscan
Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC) - Betterscan
ShiftLeftSecurity/sast-scan
Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
Cyber-Buddy/APKHunt
APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.
BADBADBADBOY/pytorchOCR
基于pytorch的ocr算法库,包括 psenet, pan, dbnet, sast , crnn
MobSF/mobsfscan
mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.
insidersec/insider
Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
ajinabraham/njsscan
njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
alipay/ant-application-security-testing-benchmark
xAST评价体系,让安全工具不再“黑盒”. The xAST evaluation benchmark makes security tools no longer a "black box".
BytecodeDL/ByteCodeDL
A declarative static analysis tool for jvm bytecode based Datalog like CodeQL
ASTTeam/SAST
《深入理解SAST静态应用安全测试》Static Application Security Testing.
Chanzi-keji/chanzi
"chanzi" is a simple and user-friendly JAVA SAST tool that utilizes taint analysis technology, includes built-in common vulnerability rules, supports decompilation, custom rule creation, and is compatible with the technology stacks of Servlet & filter, Spring, Dubbo, Thrift, JAX-RS, JFinal, Netty, MyBatis, and JSP.
we45/ThreatPlaybook
A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration
mercedes-benz/sechub
SecHub provides a central API to test software with different security tools.
Feysh-Group/corax-community
Corax for Java: A general static analysis framework for java code checking.
NodeSecure/js-x-ray
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.
mpast/mobileAudit
Django application that performs SAST and Malware Analysis for Android APKs
Orange-Cyberdefense/grepmarx
A source code static analysis platform for AppSec enthusiasts.
chebuya/sastsweep
Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets
securitycipher/penetration-testing-roadmap
Complete Roadmap for Penetration Testing
latiotech/LAST
Use AI to Scan Your Code from the Command Line for security and code smells. Bring your own keys. Supports OpenAI and Gemini
AppThreat/sast-scan
Fully open-source SAST scanner supporting a range of languages and frameworks. Integrates with major CI pipelines and IDE such as Azure DevOps, Google CloudBuild, VS Code and Visual Studio. No server required!
fengupupup/RocB
鹏 RocB - Java代码审计IDEA插件 SAST
rosehgal/DockerENT
The only open-source tool to analyze vulnerabilities and configuration issues with running docker container(s) and docker networks.
ajinabraham/libsast
Generic SAST Library
Night-Master/sdlc_golang
sdlc 是一个基于 Go 语言构建的安全漏洞示范平台,旨在促进 DevSecOps 和安全开发生命周期 (SDLC) 实践。它通过模拟常见漏洞来增强开发人员的安全意识,除了可以用于devsecops以外,还可以用于安全行业从事者学习漏洞知识或者渗透知识,代码审计,提供了一个实践和学习的环境。本项目采用了前后端分离的设计模式,其中后端利用了轻量级框架 Gin,而前端则使用了 Vue 3。
clj-holmes/clj-holmes
A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.
Zigrin-Security/CakeFuzzer
Cake Fuzzer is a project that is meant to help automatically and continuously discover vulnerabilities in web applications created based on specific frameworks with very limited false positives.
j3ssie/codeql-docker
Ready to use docker image for CodeQL