Static Application Security Testing (SAST) analyzes an application's source and binary code – as opposed to checking the source code (eg: IT:AD:Resharper) – for security vulnerabilities, typically at the programming or testing phases of the software lifecycle.

SAST typically provides more comprehensive results than IT:AD:Dynamic Application Security Testing (DAST) results because it tests the entire application, whereas DAST must first discover every individual execution path in the running application before testing it.

"We have used the data from one specific competition to show that the contestants’ manual code review results vary widely, identifying from zero up to 33 issues. In comparison QA·C’s automated static analysis found 120 issues"


In the .NET world there are several options:

SASTBinary AnalysisUnmaintainedSource AnalysisVisual StudioCAT.NETFxCopGendarmeNot maintaineddue to FxCopNot maintained andIntegrated into VSNot maintainedResharperVisual Code GrepperLite