Some other lists of these sort of things:

https://github.com/analysis-tools-dev/static-analysis https://github.com/analysis-tools-dev/dynamic-analysis https://github.com/collab-qa/check-all-the-things/tree/maste... https://github.com/collab-qa/check-all-the-things/blob/maste...

It's missing KLEE: https://klee.github.io/. KLEE is a symbolic execution engine, which is effectively just a fancy (and useful) approach to static analysis. KLEE is perennially a few releases behind LLVM, but still going strong, apparently.

Additional lists of static analysis, dynamic analysis, SAST, DAST, and other source code analysis tools:

OWAP > Source Code Analysis Tools: https://owasp.org/www-community/Source_Code_Analysis_Tools

https://analysis-tools.dev/ (supports upvotes and downvotes)

analysis-tools-dev/static-analysis: https://github.com/analysis-tools-dev/static-analysis

analysis-tools-dev/dynamic-analysis: https://github.com/analysis-tools-dev/dynamic-analysis

devsecops/awesome-devsecops: https://github.com/devsecops/awesome-devsecops , https://github.com/TaptuIT/awesome-devsecops

kai5263499/awesome-container-security: https://github.com/kai5263499/awesome-container-security

https://en.wikipedia.org/wiki/DevOps#DevSecOps,_Shifting_Sec... :

> DevSecOps is an augmentation of DevOps to allow for security practices to be integrated into the DevOps approach. The traditional centralised security team model must adopt a federated model allowing each delivery team the ability to factor in the correct security controls into their DevOps practices.

awesome-safety-critical: https://awesome-safety-critical.readthedocs.io/en/latest/

Missing unicornator! https://github.com/mimoo/unicornator

It's a good list but as was mentioned in another post today about SAST tools, it's very important to know that the tool supports your language and framework version as many of these tools lag far behind the latest releases of popular languages.

Would love to see a meta-analysis of all the analyzers targeting the same languages.

The links to additional tools (other than this NIST collection) are very handy, indeed.

A quick copypasta, sort, and count shows only 6 tools from that initial NIST site are annotated as having been updated in 2020.

The list of products is definitely more expansive than I realized. This space is ripe for a disruption too. So much potential remains in static code analysis.

It wouldn't surprise me if Microsoft and Github end up integrating a SAST tool into Github and Azure DevOps. I believe Github has a rudimentary scanning tool but something more extensive would give Microsoft and its platforms an advantage.

Haha, you're predicting the .. now. GitHub Advanced Security brings in code scanning (CodeQL), secret scanning, and more.

https://github.blog/changelog/2020-05-06-github-advanced-sec...

Have spent some time with the beta, definitely worth a look.