The Ultimate List of Open Source Static Code Analysis Security Tools

This automated code security tool works with C++, C#, VB, PHP and Java to identify insecurities and other issues in the code. Developed by Nick Dunn (@N1ckDunn), the tool quickly scans and describes – in detail – the issues it finds, offering an easy-to-use interface.

The Good:
- Allows for custom configurations for your own queries
- Tells you the security level of the vulnerabilities it finds
- Searches intelligently for specific violations of OWASP recommendations
- Consistently updated since its creation in 2012

The Not-As-Good:
- While it can analyze many languages, you have to tell it the language you’re scanning
- Scans for a set list of vulnerabilities that cannot be modified
- Isn’t fully automated

YASCA (Yet Another Source Code Analyzer) analyzes Java, and C/C++ primarily, with other languages and JavaScript for security flaws and other bugs. Its’ creator, Michael Scovetta, aggregated many other popular static analysis tools and made it easy-to-integrate with a variety of other tools, including others on this list: FindBugs, CppCheck, and more. The tool was created in 2008 to help developers in looking for security bugs by automating part of their code review and finding the “low hanging fruit.” The latest version, 3.0.4, was released in 2012. See the GitHub repository here.

The Good:
- The fact that YASCA is an aggregated tool from other powerful tools, it took the best parts of each and combined for broader coverage

The Not-As-Good:
- Broader does not mean deeper: Keep in mind that this tool was built to look for low-hanging fruits like SQL injections and XSS, so be wary of missing more serious issues.