StaticCodeAudit is licensed per project on an annual subscription basis. Six tiers cover individual freelancers up to large enterprises — every paid plan includes all 698 detection rules, taint analysis, and white-label branding.
Demo
Evaluate StaticCodeAudit on small projects. No time limit.
No credit card required
- 1 machine(s) / fingerprint(s)
- 10 files per project
- 1 000 lines of code
- 1 custom rules per project
- Export : HTML
- 697 built-in detection rules (100% CWE/WCAG-mapped)
- New-CVE rule packs included (out-of-band, signed, no phone-home)
- White-label branding (free)
Solo
For freelancers and individual developers auditing small to medium codebases.
≈ 83 €/mo, billed annually
- 1 machine(s) / fingerprint(s)
- 450 files per project
- 50 000 lines of code
- 50 custom rules per project
- Export : HTML
- 697 built-in detection rules (100% CWE/WCAG-mapped)
- New-CVE rule packs included (out-of-band, signed, no phone-home)
- White-label branding (free)
Solo Plus
For freelancers using two machines (laptop + desktop).
≈ 133 €/mo, billed annually
- 2 machine(s) / fingerprint(s)
- 450 files per project
- 100 000 lines of code
- 50 custom rules per project
- Export : HTML
- 697 built-in detection rules (100% CWE/WCAG-mapped)
- New-CVE rule packs included (out-of-band, signed, no phone-home)
- White-label branding (free)
Team
For development teams who need SARIF integration and CI/CD pipeline auditing.
≈ 333 €/mo, billed annually
- 9 + 1 CI machine(s) / fingerprint(s)
- 4 500 files per project
- 500 000 lines of code
- 250 custom rules per project
- Export : HTML, SARIF
- 697 built-in detection rules (100% CWE/WCAG-mapped)
- New-CVE rule packs included (out-of-band, signed, no phone-home)
- White-label branding (free)
Team Plus
For mid-sized teams up to 20 developers, with SBOM exports.
≈ 999 €/mo, billed annually
- 20 + 3 CI machine(s) / fingerprint(s)
- 10 000 files per project
- 2 000 000 lines of code
- 500 custom rules per project
- Export : HTML, SARIF, SBOM
- 697 built-in detection rules (100% CWE/WCAG-mapped)
- New-CVE rule packs included (out-of-band, signed, no phone-home)
- White-label branding (free)
Enterprise
For large organizations requiring unlimited files, SBOM exports, and priority support.
Starting from 30 000 €/year (custom quote)
- ∞ machine(s) / fingerprint(s)
- ∞ files per project
- ∞ lines of code
- ∞ custom rules per project
- Export : HTML, SARIF, SBOM
- 697 built-in detection rules (100% CWE/WCAG-mapped)
- New-CVE rule packs included (out-of-band, signed, no phone-home)
- White-label branding (free)
All prices are annual subscriptions, billed in one payment per year. No monthly option.
Plan Comparison
| Feature | Demo | Solo | Solo Plus | Team | Team Plus | Enterprise |
|---|---|---|---|---|---|---|
| machine(s) / fingerprint(s) | 1 | 1 | 2 | 9 + 1 CI | 20 + 3 CI | ∞ |
| files per project | 10 | 450 | 450 | 4 500 | 10 000 | ∞ |
| lines of code | 1 000 | 50 000 | 100 000 | 500 000 | 2 000 000 | ∞ |
| custom rules per project | 1 | 50 | 50 | 250 | 500 | ∞ |
| HTML | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| SARIF 2.1.0 | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
| SBOM CycloneDX 1.5 | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Annual price | Free | 990 € / year | 1 590 € / year | 3 990 € / year | 11 990 € / year | On request |
Built-in rules are never counted against your quota. Custom rules are counted per project. Files beyond the limit are scanned but the N first are prioritized.
How we compare to the main competitors
Pricing snapshot collected from public product pages, 2026. Each competitor has its own strengths — the right tool depends on your privacy posture, deployment constraints and budget shape.
| Tool | Deployment model | Typical pricing | Offline | Best fit for |
|---|---|---|---|---|
|
StaticCodeAudit
CodeFixture
|
Self-contained binary, runs locally | €290 — €4 990 / year | ✓ | Privacy-first orgs (health, defense, finance, public, legal). PME / ETI / consulting. |
|
Snyk Code
snyk.io
|
SaaS — code uploaded | $25–40 / dev / month | ✗ | Cloud-native teams accepting SaaS. IDE-first workflow. |
|
SonarCloud
sonarsource.com
|
SaaS — code uploaded | $10–25 / dev / month | ✗ | Teams already in the Sonar ecosystem who don't mind cloud. |
|
SonarQube
Developer / Enterprise
|
Self-hosted server (Java + DB) | $2 500 — $20 000+ / year | ~ | Large engineering orgs with infra ops capacity. White-label = Enterprise tier. |
|
GitHub Advanced Security
CodeQL
|
GitHub-integrated SaaS | $49 / committer / month | ✗ | Orgs fully on GitHub Enterprise. |
|
Semgrep Pro
semgrep.dev
|
CE OSS / Pro SaaS | $25–60 / dev / month | ✗ | Teams happy with YAML rules and SaaS Pro features. |
|
Checkmarx One
checkmarx.com
|
Enterprise SAST (on-prem optional) | $35 000 — $90 000 / year | ~ | Fortune 500 with established AppSec programs. |
|
Veracode
veracode.com
|
Enterprise SAST SaaS | $50 000+ / year | ✗ | Compliance-driven enterprises with central security team. |
Why offline matters here
Among the major SAST tools listed above, only SCA and SonarQube self-hosted run inside your network. SonarQube requires Java + a database server. SCA is a single binary with zero outbound calls — your code can never leak through the analyzer itself.
Pricing structure differs
Most competitors price per developer or per committer, which scales linearly with team size. SCA prices on capacity (files audited, custom rules) — your cost does not grow with headcount. Annual license, no per-seat fee.
Prices shown reflect publicly listed entry-level offerings as of 2026. All competitors mentioned are valid choices in their respective contexts. Consult their official product pages for up-to-date quotes.
Not sure which plan fits?
Start with the Demo — no registration, no credit card. Explore the full report on a real codebase.