Static Code Analysis List

The following list of products and tools that provide static code analysis functionality.  Note that the tools on this list are not being endorsed by the Web Application Security Consortium - any tool that provides static code analysis functionality is listed here.  If you know of a tool that should be added to this list, please contact Sherif Koussa at sherif.koussa@gmail.com

 

Commercial Tools

• Checkmarx by Checkmarx

• CodeSecure by Armorize 

• CodeSonar by Gammatech

• CoveritySave by Coverity

• HP Fortify Source Code Analyzer by HP

• IBM Rational AppScan Source Edition by IBM

• Klocwork Insight by Klocwork 

• Development Testing Platform by Parasoft

• bugScout by buguroo

• ECLAIR by BUGSENG 

• ThreadSafe by Contemplate 

• smartTool  

 

Software-as-a-Service Providers

• Fortify on Demand by Fortify HP 
• Sentinel Source by Whitehat 
• Veracode  
• CXCloud by Checkmarx 
• reshift by Software Secured 

 

Free / Open Source Tools

• FindBugs
• FxCop
• Lint
• OWASP O2 Platform 
• PMD
• PreFast 
• RATS – Rough Auditing Tool for Security 
• Yasca 
• VisualCodeGrepper