Static Application Security Testing (SAST) analyzes an application's source and binary code – as opposed to checking the source code (eg: IT:AD:Resharper) – for security vulnerabilities, typically at the programming or testing phases of the software lifecycle.

SAST typically provides more comprehensive results than IT:AD:Dynamic Application Security Testing (DAST) results because it tests the entire application, whereas DAST must first discover every individual execution path in the running application before testing it.

"We have used the data from one specific competition to show that the contestants’ manual code review results vary widely, identifying from zero up to 33 issues. In comparison QA·C’s automated static analysis found 120 issues"


In the .NET world there are several options:


package SAST {
package "Binary Analysis" as BA {
package "Unmaintained" as UM {
class "CAT.NET" as CAT #grey
class FxCop #grey
class Gendarme #grey

note as N1
Not maintained
due to FxCop

note as N2
Not maintained and
Integrated into VS

note as N3
Not maintained

CAT -[Hidden]RIGHT- Gendarme
Gendarme -[Hidden]RIGHT- FxCop

CAT -- N1
FxCop -- N2
Gendarme -- N3

class "Visual Studio" as VS

package "Source Analysis" as SA {
class Resharper
class "Visual Code Grepper" as VCG #grey

note as N4