#Sast
Showing 60 of 70 repositories tagged #sast, ranked by stars
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
DeepAudit:人人拥有的 AI 黑客战队,让漏洞挖掘触手可及。国内首个开源的代码漏洞挖掘多智能体系统。小白一键部署运行,自主协作审计 + 自动化沙箱 PoC 验证。支持 Ollama 私有部署 ,一键生成报告。支持中转站。让安全不再昂贵,让审计不再复杂。
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
nodejsscan is a static security code scanner for Node.js applications.
Plugin for JADX to integrate MCP server
Complete Solution for VAPT/AppSec and Pentesting Guide: Web | Mobile | API | Thick Client | Source Code Review | DevSecOps | Wireless | Network Pentesting | SAST | DAST etc...
Security risk analysis for Kubernetes resources
Scan the world (for secrets)
Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.
AI-first security scanner. NEW in v2026.7: Claude Code compromise detection — vet .claude/ hooks, permissions & skills before you clone — plus an always-on AI attack-signature scanner and native Rust & PHP rules. Also: medusa scan --git to vet any repo, medusa secrets scan for leaked API keys. 40,000+ patterns, zero setup.
JavaSecLab is a comprehensive Java vulnerability platform| JavaSecLab是一款综合型Java漏洞平台,提供相关漏洞缺陷代码、修复代码、漏洞场景、审计SINK点、安全编码规范,覆盖多种漏洞场景,友好用户交互UI……
MCP server for AI-driven security pipelines
mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.
OpenAnt from Knostic is the leading open source LLM-based vulnerability discovery product, helping defenders proactively find verified security flaws while minimizing both false positives and false negatives. Stage 1 detects. Stage 2 attacks. What survives is real.
ASH is an extensible, open source SAST, SCA, and IaC security scanner orchestration engine.
DianXing - AI-Driven End-to-End Code Security Auditing
Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
"chanzi" is a simple and user-friendly JAVA SAST tool that utilizes taint analysis technology, includes built-in common vulnerability rules, supports decompile, custom rule, and is compatible with the technology stacks of Servlet&filter, Spring,struts,Dubbo,Thrift, jax-rs,jax-ws,JFinal,Netty,MyBatis,and JSP.
xAST评价体系,让安全工具不再“黑盒”. The xAST evaluation benchmark makes security tools no longer a "black box".
Open source local-first PR scanner that finds dead code, security bugs, secrets, quality regressions, and AI-code mistakes before merge. For first timers refer to https://duriantaco.github.io/skylos/repo-map/
njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
SecHub provides a central API to test software with different security tools.
Complete Roadmap for Penetration Testing
Open Source Agentic Security Scanner
A blazingly fast security scanner, written in Rust. Batteries included, TUI for triage, secrets, post-quantum audits, diff-aware scans and more 𓃥
Django application that performs SAST and Malware Analysis for Android APKs
Includes day-wise notes, Jenkinsfiles, pipeline examples, and hands-on resources to learn Jenkins CI/CD from scratch to production-ready workflows.
AI-powered cybersecurity code review skill for Claude Code. 8 specialist agents, OWASP 2025, CWE Top 25, MITRE ATT&CK, 11 languages, zero configuration.
AI-native code security auditor on AgentField that proves exploitability with verdicts, traces, and actionable evidence.
Open-source cybersecurity analysis agent for Claude Code. Scans projects for vulnerabilities across all OWASP 2025 Top 10 and CWE Top 25 categories. 11 security domains, 60+ secret patterns, parallel subagent analysis, professional report generation. Built by tododeia.com
Static Code Analysis for security teams with Inter file taint analysis. Built for finding vulnerabilities, advanced structural search, derive insights and supports MCP
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. It leverages a powerful Rust core to deliver high-speed, accurate vulnerability scanning, wrapped in a developer-friendly Python CLI.
Find credentials and secret with 170+ rules covering across source code, Web URL, and CI/CD, verifies them against vendor APIs, and generates SARIF, JSONL, HTML, PDF, or Excel reports.
Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix.
Cake Fuzzer is a project that is meant to help automatically and continuously discover vulnerabilities in web applications created based on specific frameworks with very limited false positives.
Udemy Course on DevSecOps
The open source taint analysis tool for the AI era. The analyzer you can customize and self-host, built so AI agents drive your security analysis without burning tokens on every scan. AI-ready open source alternative to Semgrep Pro and CodeQL.
Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning
sdlc 是一个基于 Go 语言构建的安全漏洞示范平台,旨在促进 DevSecOps 和安全开发生命周期 (SDLC) 实践。它通过模拟常见漏洞来增强开发人员的安全意识,除了可以用于devsecops以外,还可以用于安全行业从事者学习漏洞知识或者渗透知识,代码审计,提供了一个实践和学习的环境。本项目采用了前后端分离的设计模式,其中后端利用了轻量级框架 Gin,而前端则使用了 Vue 3。
Chrome extension risk scanner — scan Chrome Web Store links or CRX/ZIP builds and generate evidence-based security/privacy reports. Open-core.
AI-driven Static Analyzer. Supports Rust and Smart contracts: Solana based on Rust, Ethereum based on Solidity.
Delvelin is a Code Vulnerability Analyzer for Java and Kotlin that supports best practices in security and risk management.
Ready to use docker image for CodeQL
INTERCEPT / Policy as Code Auditing
Nuclei templates for source code analysis. Detects hardcoded secrets, config leaks, debug endpoints. Also helps identify OWASP Top 10 issues in code. Ideal for SAST and CI/CD integration.
🚀 DevSecOps intro elective — 10 hands-on labs + 2 bonus hardening OWASP Juice Shop: threat modeling (STRIDE/Threagile), signed commits & secret scanning, SBOM/SCA, SAST + DAST, IaC security (Checkov/KICS), container & supply-chain hardening (Trivy, Cosign), runtime detection with Falco, and DefectDojo vuln management.
Analyze any snippet, file, or repository to detect possible security flaws such as secret in code, open source vulnerability, code security, vulnerability, insecure infrastructure as code, and potential legal issues with open source licenses.
AI-powered multi-agent security auditor for Symfony applications — provider-agnostic via symfony/ai.
PWN is an open security automation framework that aims to stand on the shoulders of security giants, promoting trust and innovation.
AI-powered SAST scanner that finds auth bypass, IDOR, and logic bugs Semgrep/CodeQL miss. Free GitHub Action. Supports Python, JS/TS, Go, PHP, Ruby.
An OpenAPI 3 checker based on spectral.
Curated list of security tools
Security scanner for AI-generated ("vibe-coded") code. Runs SAST, DAST, and sandboxed exploit simulation across 15+ languages using 30+ tools. Catches what LLMs introduce before it ships — with AI-powered fixes and PR review integration.
The code quality toolkit for the agentic AI era. Find dead code, clones, and scaffolding across 15 languages. MCP server + CLI.
GPT AiCSA(Code security audit),SAST(Static Application Security Testing,静态应用程序安全测试),JAR security analysis, static vulnerability and vulnerability analysis of various programming language codes
An implementation of infrastructure-as-code scanning using dynamic tooling.
Sharing software supply chain security open source projects