Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.

JAVA 安全靶场，IAST 测试用例，JAVA漏洞复现，代码审计，SAST测试用例，安全扫描（主动和被动），JAVA漏洞靶场，RASP测试用例 ； Java Security Testbed, IAST Test Cases, Java Vulnerability Reproduction, Code Auditing, SAST Test Cases, Security Scanning (Active and Passive), Java Vulnerability Testbed, RASP Test Cases

A SAST skill that gives AI coding agents structured vulnerability detection across 34 vulnerability classes.

Fully open-source SAST scanner supporting a range of languages and frameworks. Integrates with major CI pipelines and IDE such as Azure DevOps, Google CloudBuild, VS Code and Visual Studio. No server required!

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. It leverages a powerful Rust core to deliver high-speed, accurate vulnerability scanning, wrapped in a developer-friendly Python CLI.

SAST and DAST Scan Supported with 400 plus rules available for secrets and allow you add your own wordlist as well. lightweight source code scanner and for URL that detects hardcoded secrets like API keys, credentials, and sensitive information across files and folders.

Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning

command-line tool designed to rapidly scan decompiled Android applications for hardcoded secrets. It moves beyond simple keyword searching by using a powerful regex engine to identify high-entropy strings, specific key patterns, and other sensitive data that could pose a security risk.

🧪 Correlate Semgrep scans with Python test coverage to prioritize SAST findings and get bug fix suggestions via a self-hosted LLM.

Exports vulnerability scan data from the Checkmarx SAST platform for use in analytical tools.

CodeSec by Contrast - The fastest and most accurate SAST scanner. Scan code and serverless environments

The doc-sentinel-ai project is a security-focused tool utilizing AI to perform SAST scans, detect dead code, and intelligently triage vulnerabilities. It provides a modular, local-first framework for automated code analysis, allowing for policy-driven security checks.

An ongoing & curated collection of awesome vulnerability scanning software, libraries and frameworks, best guidelines, technical resources and most important static application security testing (SAST)

Focus SAST scans (with CodeQL) on just the changed parts of your monorepo, split up as you define

Benchmark collection for analysis. The idea is to have a collection of projects in several languages as well as various sast applications to do scans and comparisons. At the end of the day the intention is to reduce the number of false positives in benchmarks projects.

GitHub action for performing SAST scanning using various oss tools such as gitleaks, bandit, findsecbugs etc

A collection of reusable GitHub Actions that standardise DevSecOps security scanning i.e. SCA, SAST, DAST, secrets, IaC, and container security.

A GitHub action aggregating SAST tools to scan code for vulnerabilities

A repo full of secrets. This is designed to test SAST secret scanning tools.

🔒 Security Scanning for Github Actions; SAST, DAST, Secrets, and Dependencies

🔐 A curated list of open-source security tools organized by CI/CD pipeline stage. Covers secrets detection, SBOM, SAST, SCA, IaC security, container scanning, Kubernetes security & more. Actively maintained with weekly status updates

Opinionated CLI to bootstrap a DevSecOps pipeline in minutes, SAST, secrets scanning, SCA, SBOM, IaC, and AI fix suggestions for Node.js, Go, Python, and Java projects.

The CxAST Azure DevOps plugin enables you to trigger SAST, SCA, and KICS scans directly from an Azure DevOps pipeline.

A GitLab pipeline demo with DevSecOps best practices (SAST, DAST and Container scan) using open source tools.

Exemplo de workflow de segurança que realiza testes SAST, SCA, Secrets Scan e IaC Scan via GitHub Actions utilizando ferramentas open source.

AccuKnox CI/CD Action for SAST

A comprehensive **Model Context Protocol (MCP)** server that integrates multiple SAST (Static Application Security Testing) tools with Claude Code AI, enabling automated security analysis and vulnerability scanning directly from your AI assistant.

This repository is an advanced DevSecOps reference project that combines: - Shift-left securtureity: SAST, linting, and secrets scanning integrated into developer and CI workflows - Infrastruc-as-Code security: Terraform and Kubernetes with automated misconfiguration scanning and policy-as-code.

Static Analysis Tooling at Splunk (Semgrep.dev)