Frequently Asked Questions

Static Application Security Testing (SAST) analyzes source code without executing it, identifying vulnerabilities, code quality issues, and compliance violations before deployment. StaticCodeAudit performs SAST across 8 programming languages with 698 detection rules.

No. StaticCodeAudit runs 100% offline with zero external API calls. Your source code never leaves your machine. The binary is fully self-contained — no cloud services, no telemetry, no phone-home.

Python, JavaScript/TypeScript, HTML (including Vue, Svelte, EJS, Jinja, Twig templates), Java, C#, PHP, and YAML (for CI/CD pipeline analysis). Each language has dedicated detection rules.

Unlike SonarQube (which requires a server) or ESLint (JavaScript only), StaticCodeAudit is a standalone tool that produces self-contained HTML reports with no infrastructure. It also supports white-label branding, 4-language reports, and CI/CD workflow analysis — all for free.

StaticCodeAudit maps findings to OWASP Top 10, CWE (Common Weakness Enumeration), WCAG 2.1 accessibility guidelines, GDPR/RGPD data protection, OWASP CI/CD Top 10, ISO/IEC 27001:2022 Annex A (93 controls compliance matrix), and OWASP ASVS v5.0.0 (348 requirements across 17 chapters). It also exports in SARIF 2.1.0 format for integration with GitHub and GitLab security dashboards.

Yes. White-label branding is free and built-in. You can configure the tool name, company name, logo (SVG/PNG/JPG), file prefix, and favicon in your project's audit.config.json. The generated reports use your branding throughout — including headers, footers, and browser tab.

Findings are organized in a 3-level hierarchy: first by severity (Critical, High, Medium, Low, Info), then by source (Business Code vs Dependencies), then by category (Security, Architecture, UI, UX, Maintenance, etc.). Each level is collapsible for efficient navigation.

Yes. Thanks to a rule cache and hash-based incremental analysis, warm-cache runs are up to 3× faster than cold runs. Only files changed since the last scan are re-analyzed, making StaticCodeAudit well suited for CI/CD pipelines and pre-commit hooks.

Snyk Code is a SaaS — your source code is uploaded to Snyk's cloud for analysis, and pricing scales per developer ($25–40/dev/month). StaticCodeAudit runs 100 % on your machine — no upload, no telemetry — and prices on capacity (€990 to €11 990/year, no seat fee). Both are valid: pick Snyk if you accept SaaS and want IDE-first workflow ; pick StaticCodeAudit if your privacy posture or compliance forbids sending source code to a third-party cloud.

For strict offline deployment, the two main options are StaticCodeAudit and SonarQube self-hosted. StaticCodeAudit is a single binary with zero dependencies (from €990/year). SonarQube self-hosted requires a Java + database server infrastructure ($2 500–20 000+/year). Other tools (Snyk, SonarCloud, GitHub Advanced Security, Semgrep Pro, Veracode) are SaaS-only. Bandit and ESLint plugins are free OSS but cover a single language without unified compliance reporting.

Pricing starts at €990/year (Solo). Solo Plus is €1 590/year, Team €3 990/year (most popular), Team Plus €11 990/year, Enterprise from €30 000/year. All plans are annual subscriptions with no per-seat fee, no installation cost, no telemetry. Free Demo available for evaluation.

No. The binary makes zero outbound network calls under any circumstance. No telemetry, no version check, no analytics. This is a structural design choice — the binary contains no outbound network code at all. Server-to-client communication (rule pack updates, license renewals) happens via email and manual user action on the authenticated portal. Your source code and audit results never leave your machine through the analyzer.