#Sast

Showing 60 of 70 repositories tagged #sast, ranked by stars

semgrep
semgrep
semgrep

Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Score
100
★ 15.8k ⑂ 989 +41/day
OCaml
analysis-tools-dev
analysis-tools-dev
static-analysis

⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.

Score
100
★ 14.7k ⑂ 1.5k +10/day
Rust
lintsinghua
lintsinghua
DeepAudit

DeepAudit:人人拥有的 AI 黑客战队,让漏洞挖掘触手可及。国内首个开源的代码漏洞挖掘多智能体系统。小白一键部署运行,自主协作审计 + 自动化沙箱 PoC 验证。支持 Ollama 私有部署 ,一键生成报告。支持中转站。​让安全不再昂贵,让审计不再复杂。

Score
100
★ 6.6k ⑂ 814 +31/day
Python
tenable
tenable
terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Score
80
★ 5.2k ⑂ 555
Go
Bearer
Bearer
bearer

Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.

Score
100
★ 2.7k ⑂ 141 +2/day
Go
ajinabraham
ajinabraham
nodejsscan

nodejsscan is a static security code scanner for Node.js applications.

Score
85
★ 2.6k ⑂ 346 +2/day
CSS
zinja-coder
zinja-coder
jadx-ai-mcp

Plugin for JADX to integrate MCP server

Score
100
★ 2.4k ⑂ 231 +29/day
Java
m14r41
m14r41
PentestingEverything

Complete Solution for VAPT/AppSec and Pentesting Guide: Web | Mobile | API | Thick Client | Source Code Review | DevSecOps | Wireless | Network Pentesting | SAST | DAST etc...

Score
98
★ 1.8k ⑂ 406 +72/day
TypeScript
controlplaneio
controlplaneio
kubesec

Security risk analysis for Kubernetes resources

Score
95
★ 1.5k ⑂ 107 +2/day
Go
betterleaks
betterleaks
betterleaks

Scan the world (for secrets)

Score
60
★ 1.4k ⑂ 102 +2/day
Go
ZupIT
ZupIT
horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Score
100
★ 1.3k ⑂ 217
Go
Cyber-Buddy
Cyber-Buddy
APKHunt

APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.

Score
20
★ 968 ⑂ 102
Go
Pantheon-Security
Pantheon-Security
medusa

AI-first security scanner. NEW in v2026.7: Claude Code compromise detection — vet .claude/ hooks, permissions & skills before you clone — plus an always-on AI attack-signature scanner and native Rust & PHP rules. Also: medusa scan --git to vet any repo, medusa secrets scan for leaked API keys. 40,000+ patterns, zero setup.

Score
50
★ 912 ⑂ 152 +19/day
Python
whgojp
whgojp
JavaSecLab

JavaSecLab is a comprehensive Java vulnerability platform|​ JavaSecLab是一款综合型Java漏洞平台,提供相关漏洞缺陷代码、修复代码、漏洞场景、审计SINK点、安全编码规范,覆盖多种漏洞场景,友好用户交互UI……

Score
92
★ 858 ⑂ 75
Java
FuzzingLabs
FuzzingLabs
secpipe

MCP server for AI-driven security pipelines

Score
82
★ 798 ⑂ 95
Python
MobSF
MobSF
mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.

Score
75
★ 770 ⑂ 121 +4/day
Python
knostic
knostic
OpenAnt

OpenAnt from Knostic is the leading open source LLM-based vulnerability discovery product, helping defenders proactively find verified security flaws while minimizing both false positives and false negatives. Stage 1 detects. Stage 2 attacks. What survives is real.

Score
90
★ 672 ⑂ 99 +13/day
Python
awslabs
awslabs
automated-security-helper

ASH is an extensible, open source SAST, SCA, and IaC security scanner orchestration engine.

Score
88
★ 663 ⑂ 86 +2/day
Python
tianchong-zerotemp
tianchong-zerotemp
dianxing

DianXing - AI-Driven End-to-End Code Security Auditing

Score
80
★ 610 ⑂ 57 +165/day
insidersec
insidersec
insider

Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

Score
25
★ 552 ⑂ 80
Go
Chanzi-keji
Chanzi-keji
chanzi

"chanzi" is a simple and user-friendly JAVA SAST tool that utilizes taint analysis technology, includes built-in common vulnerability rules, supports decompile, custom rule, and is compatible with the technology stacks of Servlet&filter, Spring,struts,Dubbo,Thrift, jax-rs,jax-ws,JFinal,Netty,MyBatis,and JSP.

Score
65
★ 489 ⑂ 15
alipay
alipay
ant-application-security-testing-benchmark

xAST评价体系,让安全工具不再“黑盒”. The xAST evaluation benchmark makes security tools no longer a "black box".

Score
78
★ 483 ⑂ 62 +1/day
Java
duriantaco
duriantaco
skylos

Open source local-first PR scanner that finds dead code, security bugs, secrets, quality regressions, and AI-code mistakes before merge. For first timers refer to https://duriantaco.github.io/skylos/repo-map/

Score
40
★ 465 ⑂ 23 +3/day
Python
ajinabraham
ajinabraham
njsscan

njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.

Score
28
★ 434 ⑂ 106
JavaScript
mercedes-benz
mercedes-benz
sechub

SecHub provides a central API to test software with different security tools.

Score
60
★ 353 ⑂ 80
Java
securitycipher
securitycipher
penetration-testing-roadmap

Complete Roadmap for Penetration Testing

Score
75
★ 296 ⑂ 53 +2/day
openhackai
openhackai
OpenHack

Open Source Agentic Security Scanner

Score
70
★ 277 ⑂ 27 +103/day
Python
0sec-labs
0sec-labs
foxguard

A blazingly fast security scanner, written in Rust. Batteries included, TUI for triage, secrets, post-quantum audits, diff-aware scans and more 𓃥

Score
68
★ 274 ⑂ 15
Rust
mpast
mpast
mobileAudit

Django application that performs SAST and Malware Analysis for Android APKs

Score
62
★ 228 ⑂ 50
HTML
CloudWithVarJosh
CloudWithVarJosh
Jenkins-Basics-To-Production

Includes day-wise notes, Jenkinsfiles, pipeline examples, and hands-on resources to learn Jenkins CI/CD from scratch to production-ready workflows.

Score
80
★ 190 ⑂ 192 +2/day
Java
AgriciDaniel
AgriciDaniel
claude-cybersecurity

AI-powered cybersecurity code review skill for Claude Code. 8 specialist agents, OWASP 2025, CWE Top 25, MITRE ATT&CK, 11 languages, zero configuration.

Score
52
★ 181 ⑂ 37 +7/day
Shell
Agent-Field
Agent-Field
sec-af

AI-native code security auditor on AgentField that proves exploitability with verdicts, traces, and actionable evidence.

Score
100
★ 170 ⑂ 37
Python
Hainrixz
Hainrixz
cyber-neo

Open-source cybersecurity analysis agent for Claude Code. Scans projects for vulnerabilities across all OWASP 2025 Top 10 and CWE Top 25 categories. 11 security domains, 60+ secret patterns, parallel subagent analysis, professional report generation. Built by tododeia.com

Score
45
★ 167 ⑂ 21 +2/day
Python
shivasurya
shivasurya
code-pathfinder

Static Code Analysis for security teams with Inter file taint analysis. Built for finding vulnerabilities, advanced structural search, derive insights and supports MCP

Score
48
★ 138 ⑂ 16
Go
ParzivalHack
ParzivalHack
PySpector

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. It leverages a powerful Rust core to deliver high-speed, accurate vulnerability scanning, wrapped in a developer-friendly Python CLI.

Score
0
★ 138 ⑂ 38
Python
m14r41
m14r41
scan4secrets

Find credentials and secret with 170+ rules covering across source code, Web URL, and CI/CD, verifies them against vendor APIs, and generates SARIF, JSONL, HTML, PDF, or Excel reports.

Score
50
★ 113 ⑂ 33
Python
sinewaveai
sinewaveai
agent-security-scanner-mcp

Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix.

Score
42
★ 112 ⑂ 10 +1/day
JavaScript
Zigrin-Security
Zigrin-Security
CakeFuzzer

Cake Fuzzer is a project that is meant to help automatically and continuously discover vulnerabilities in web applications created based on specific frameworks with very limited false positives.

Score
8
★ 104 ⑂ 9
Python
sidd-harth
sidd-harth
kubernetes-devops-security

Udemy Course on DevSecOps

Score
100
★ 103 ⑂ 1.8k
Java
seqra
seqra
opentaint

The open source taint analysis tool for the AI era. The analyzer you can customize and self-host, built so AI agents drive your security analysis without burning tokens on every scan. AI-ready open source alternative to Semgrep Pro and CodeQL.

Score
50
★ 100 ⑂ 7 +2/day
Kotlin
cycodehq
cycodehq
cycode-cli

Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning

Score
55
★ 98 ⑂ 64
Python
Night-Master
Night-Master
sdlc_golang

sdlc 是一个基于 Go 语言构建的安全漏洞示范平台,旨在促进 DevSecOps 和安全开发生命周期 (SDLC) 实践。它通过模拟常见漏洞来增强开发人员的安全意识,除了可以用于devsecops以外,还可以用于安全行业从事者学习漏洞知识或者渗透知识,代码审计,提供了一个实践和学习的环境。本项目采用了前后端分离的设计模式,其中后端利用了轻量级框架 Gin,而前端则使用了 Vue 3。

Score
0
★ 97 ⑂ 12
Go
ExtensionShield
ExtensionShield
ExtensionShield

Chrome extension risk scanner — scan Chrome Web Store links or CRX/ZIP builds and generate evidence-based security/privacy reports. Open-core.

Score
57
★ 95 ⑂ 76 +2/day
Python
VulnPlanet
VulnPlanet
l3x

AI-driven Static Analyzer. Supports Rust and Smart contracts: Solana based on Rust, Ethereum based on Solidity.

Score
0
★ 94 ⑂ 15
Rust
hangga
hangga
delvelin

Delvelin is a Code Vulnerability Analyzer for Java and Kotlin that supports best practices in security and risk management.

Score
0
★ 92 ⑂ 2
Java
j3ssie
j3ssie
codeql-docker

Ready to use docker image for CodeQL

Score
60
★ 90 ⑂ 9
Python
xfhg
xfhg
intercept

INTERCEPT / Policy as Code Auditing

Score
25
★ 84 ⑂ 10
Go
KaanBicaklar
KaanBicaklar
nuclei-MonaCodeScanner

Nuclei templates for source code analysis. Detects hardcoded secrets, config leaks, debug endpoints. Also helps identify OWASP Top 10 issues in code. Ideal for SAST and CI/CD integration.

Score
2
★ 83 ⑂ 8
inno-devops-labs
inno-devops-labs
DevSecOps-Intro

🚀 DevSecOps intro elective — 10 hands-on labs + 2 bonus hardening OWASP Juice Shop: threat modeling (STRIDE/Threagile), signed commits & secret scanning, SBOM/SCA, SAST + DAST, IaC security (Checkov/KICS), container & supply-chain hardening (Trivy, Cosign), runtime detection with Falco, and DefectDojo vuln management.

Score
72
★ 81 ⑂ 135
Shell
oxsecurity
oxsecurity
codetotal

Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.

Score
0
★ 78 ⑂ 9
TypeScript
vinceAmstoutz
vinceAmstoutz
symfony-security-auditor

AI-powered multi-agent security auditor for Symfony applications — provider-agnostic via symfony/ai.

Score
32
★ 75 ⑂ 0 +4/day
PHP
0dayInc
0dayInc
pwn

PWN is an open security automation framework that aims to stand on the shoulders of security giants, promoting trust and innovation.

Score
35
★ 73 ⑂ 9
Ruby
momenbasel
momenbasel
vulnhawk

AI-powered SAST scanner that finds auth bypass, IDOR, and logic bugs Semgrep/CodeQL miss. Free GitHub Action. Supports Python, JS/TS, Go, PHP, Ruby.

Score
38
★ 72 ⑂ 14
Python
italia
italia
api-oas-checker

An OpenAPI 3 checker based on spectral.

Score
40
★ 70 ⑂ 28
JavaScript
rmkanda
rmkanda
tools

Curated list of security tools

Score
5
★ 69 ⑂ 16
Armur-Ai
Armur-Ai
vibescan

Security scanner for AI-generated ("vibe-coded") code. Runs SAST, DAST, and sandboxed exploit simulation across 15+ languages using 30+ tools. Catches what LLMs introduce before it ships — with AI-powered fixes and PR review integration.

Score
30
★ 67 ⑂ 13 +2/day
Go
yfedoseev
yfedoseev
fossil-mcp

The code quality toolkit for the agentic AI era. Find dead code, clones, and scaffolding across 15 languages. MCP server + CLI.

Score
50
★ 63 ⑂ 4 +1/day
Rust
GhostTroops
GhostTroops
AiCSA

GPT AiCSA(Code security audit),SAST(Static Application Security Testing,静态应用程序安全测试),JAR security analysis, static vulnerability and vulnerability analysis of various programming language codes

Score
0
★ 60 ⑂ 5
JavaScript
ncc-erik-steringer
ncc-erik-steringer
Aerides

An implementation of infrastructure-as-code scanning using dynamic tooling.

Score
0
★ 56 ⑂ 0
HCL
meta-fun
meta-fun
awesome-software-supply-chain-security

Sharing software supply chain security open source projects

Score
40
★ 54 ⑂ 5
Related Topics
#security#static-analysis#devsecops#security-tools#vulnerability-scanner#appsec#owasp#ai#dast#java#cybersecurity#python

© 2026 GitRepoTrend · GitHub repositories by topic · Updated weekly