CompSAST

SAST scanners comparison

The following repository aimed to research what popular static analisys security testing (SAST) tools are best in vulnerabilities finding. The experiment would take several SAST instruments that able to multi-language scan in application, therefore, tools like Bandit or Clang-analizer are not in the testing list.

Main research file: RESEARCH

SAST tools to compare:

• Semgrep
• CodeQL
• SonarQube
• PVS-Studio
• Opengrep
• PMD
• Joern

Benchmarks to test

• IAMeter by Positive Technologies for Go, Java, PHP
• OWASP Benchmark for Java, Python
• NIST Juliet for Java, C/C++, C#

This site is open source. Improve this page.