
NIST Samate – Source Code Security Analyzers - animationwill
https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
======
pabs3
Some other lists of these sort of things:

[https://github.com/analysis-tools-dev/static-
analysis](https://github.com/analysis-tools-dev/static-analysis)
[https://github.com/analysis-tools-dev/dynamic-
analysis](https://github.com/analysis-tools-dev/dynamic-analysis)
[https://github.com/collab-qa/check-all-the-
things/tree/maste...](https://github.com/collab-qa/check-all-the-
things/tree/master/data) [https://github.com/collab-qa/check-all-the-
things/blob/maste...](https://github.com/collab-qa/check-all-the-
things/blob/master/doc/TODO)

------
wahern
It's missing KLEE: [https://klee.github.io/](https://klee.github.io/). KLEE is
a symbolic execution engine, which is effectively just a fancy (and useful)
approach to static analysis. KLEE is perennially a few releases behind LLVM,
but still going strong, apparently.

------
westurner
Additional lists of static analysis, dynamic analysis, SAST, DAST, and other
source code analysis tools:

OWAP > Source Code Analysis Tools: [https://owasp.org/www-
community/Source_Code_Analysis_Tools](https://owasp.org/www-
community/Source_Code_Analysis_Tools)

[https://analysis-tools.dev/](https://analysis-tools.dev/) (supports upvotes
and downvotes)

analysis-tools-dev/static-analysis: [https://github.com/analysis-tools-
dev/static-analysis](https://github.com/analysis-tools-dev/static-analysis)

analysis-tools-dev/dynamic-analysis: [https://github.com/analysis-tools-
dev/dynamic-analysis](https://github.com/analysis-tools-dev/dynamic-analysis)

devsecops/awesome-devsecops: [https://github.com/devsecops/awesome-
devsecops](https://github.com/devsecops/awesome-devsecops) ,
[https://github.com/TaptuIT/awesome-
devsecops](https://github.com/TaptuIT/awesome-devsecops)

kai5263499/awesome-container-security: [https://github.com/kai5263499/awesome-
container-security](https://github.com/kai5263499/awesome-container-security)

[https://en.wikipedia.org/wiki/DevOps#DevSecOps,_Shifting_Sec...](https://en.wikipedia.org/wiki/DevOps#DevSecOps,_Shifting_Security_Left)
:

> _DevSecOps is an augmentation of DevOps to allow for security practices to
> be integrated into the DevOps approach. The traditional centralised security
> team model must adopt a federated model allowing each delivery team the
> ability to factor in the correct security controls into their DevOps
> practices._

awesome-safety-critical: [https://awesome-safety-
critical.readthedocs.io/en/latest/](https://awesome-safety-
critical.readthedocs.io/en/latest/)

------
baby
Missing unicornator!
[https://github.com/mimoo/unicornator](https://github.com/mimoo/unicornator)

------
Mountain_Skies
It's a good list but as was mentioned in another post today about SAST tools,
it's very important to know that the tool supports your language and framework
version as many of these tools lag far behind the latest releases of popular
languages.

------
sixstringtheory
Would love to see a meta-analysis of all the analyzers targeting the same
languages.

------
onlinejk
The links to additional tools (other than this NIST collection) are very
handy, indeed.

A quick copypasta, sort, and count shows only 6 tools from that initial NIST
site are annotated as having been updated in 2020.

------
bdamm
The list of products is definitely more expansive than I realized. This space
is ripe for a disruption too. So much potential remains in static code
analysis.

~~~
Mountain_Skies
It wouldn't surprise me if Microsoft and Github end up integrating a SAST tool
into Github and Azure DevOps. I believe Github has a rudimentary scanning tool
but something more extensive would give Microsoft and its platforms an
advantage.

~~~
chair6
Haha, you're predicting the .. now. GitHub Advanced Security brings in code
scanning (CodeQL), secret scanning, and more.

[https://github.blog/changelog/2020-05-06-github-advanced-
sec...](https://github.blog/changelog/2020-05-06-github-advanced-security-
code-scanning-now-available-in-limited-public-beta/)

Have spent some time with the beta, definitely worth a look.

