Why StaticCodeAudit?
Built for developers who value privacy, simplicity, and thoroughness.
Security First
262 security rules covering SQL injection, XSS, SSRF, path traversal, hardcoded secrets, unsafe deserialization, weak cryptography, cookie security, LDAP injection and more. Mapped to OWASP Top 10, CWE, GDPR, ISO 27001 Annex A and OWASP ASVS v5.0.0.
Enterprise-Grade Reports
Self-contained HTML reports with 12+ interactive charts, health scoring, historical comparison and findings grouped by severity and category. One file, no server needed.
Zero Dependencies
Single self-contained binary. No pip, no Node, no Docker, no external APIs, no cloud, no telemetry. Your code never leaves your machine.
6 Audit Categories. 691 Rules.
Comprehensive coverage from security vulnerabilities to accessibility compliance.
Security
SQL injection, XSS, SSRF, path traversal, secrets, eval, deserialization, weak crypto, command injection, LDAP injection, cookie security, GDPR compliance...
Architecture
Admin route protection, DB logic in routers, direct queries, N+1 patterns, oversized files.
Interface / UI
Inline styles, manual createElement, event listener leaks, DOM manipulation in loops.
Accessibility / UX
ARIA labels, alt text, focus management, autoplay, i18n issues, toast patterns, console.log detection.
Maintenance
Unresolved TODO/FIXME/HACK/XXX, deprecated APIs (5 languages), catch-all exceptions, debug statements, error suppressors.
CI/CD
GitHub Actions security, GitLab CI, expression injection, excessive permissions, unpinned actions.
Supported Languages
Built for CI/CD speed
Rule cache and incremental analysis keep your pipeline fast even as your codebase grows.
Rule cache
Parsed DSL rules are cached across runs — no re-parsing on every scan.
Incremental analysis
Only files modified since the last scan are re-analyzed, identified by content hash.
3× faster on warm runs
Subsequent scans of unchanged code are up to 3× faster than the initial cold run.
The offline boundary
A clear separation between what runs online (your provider) and what runs in your network (the binary). Email is the only link.
Online — managed by us
CodeFixture infrastructure
- ▸CVE intelligence (NVD / OSV / GitHub Advisory)
- ▸Operator authors and validates new rules in a sandbox
- ▸Rule packs are versioned, hashed (SHA-256) and signed
- ▸Email notification sent to active subscribers
Offline — your environment
Your machine / your CI
- ✓Binary runs locally, never makes outbound calls
- ✓You manually pull packs from your authenticated portal
- ✓Each rule SHA-256 verified before load — tampered = rejected
- ✓Audits run with builtin + packs + your custom rules
Email + manual user action — the only bridge across the boundary
No telemetry. No phone-home. No background sync. The binary cannot leak source code or audit results because it has no outbound network code, period.
CVE response cycle, no phone-home
When a new CVE drops, you stay up to date without your binary ever calling home. Email + manual download. Signed pack. Loaded automatically on the next audit.
1
CVE detected
Our team reviews NVD / OSV / GitHub Advisory daily.
2
Rule authored
Operator writes a .sca rule and validates it on a sandbox.
3
Email to subscribers
You receive a notification with a download link to your portal.
4
You download
Manual action. Pack lands in rules-updates/ next to your binary.
5
Auto-loaded
Next audit picks up the new rules. SHA-256 verified, never executed if tampered.
The binary makes ZERO outbound calls at any step. The CVE response cycle exists outside the binary, by design.
What Makes It Different
Unique capabilities you won't find in any other static analysis tool.
Zero Dependencies
Self-contained binary — no installer, no runtime to set up, no prerequisites.
100% Offline
No network calls, no APIs, no telemetry. Your code never leaves your machine.
Standalone HTML Reports
Single self-contained file with CSS, JS, Chart.js inline. Open in any browser, share by email, print to PDF.
White-Label Branding
Custom tool name, logo, file prefix, and favicon. Free — no enterprise license required.
Reports in 4 Languages
Full FR/EN/ES/DE localization: rules, risks, solutions, benefits, chart labels, glossary.
Historical Comparison
Baseline over 10 audit snapshots by default (configurable). Track new, resolved, and persistent issues over time.
12+ Interactive Charts
Chart.js inline: severity, categories, timelines, trends. Tooltips and responsive.
Report Retention
Auto-cleanup by count, days, or both. Dry-run mode to preview before deleting.
1136 Unit Tests
Every rule validated by vulnerable + clean fixtures. The tool tests itself.
Fully Portable
Copy the binary, give it a path, run it. No installation, no PATH wiring, no config required.
Pre-Commit Hook
Install with --install-hook. Automatic audit before every commit.
ISO 27001 Matrix
Compliance matrix mapping 157 rules to 93 Annex A controls across 4 themes. Coverage by theme with visual indicators.
OWASP ASVS v5.0.0
Compliance matrix mapping 106 rules to 348 ASVS requirements across 17 chapters and 3 levels (L1/L2/L3).
Category Grouping
Findings grouped by severity, then by source (Business Code / Dependencies), then by category. Collapsible sections for easy navigation.
Print Mode
One-click printable version. All sections expanded, optimized layout for PDF export and paper printing.
Keyboard Navigation
Navigate findings with j/k shortcuts, jump to top with Ctrl+Home. Efficient report review without a mouse.
Custom Rules
Create your own detection rules with a simple DSL. No regex needed — use plain text with * wildcards. Interactive wizard included.
Remediation Playbook
Step-by-step fix instructions integrated in every finding. CWE, OWASP Top 10, and ISO 27001 references inline.
Built for the four people who need it
For each role, the deliverable that actually saves them time on Monday morning.
DevSecOps lead
Wire SAST into your CI without surrendering source code
Block secret leaks, SQL injection, path traversal at pull-request time — without uploading source code to a third-party scanner. SARIF feeds GitHub/GitLab dashboards directly. Your CI gets a security gate; your code stays on your runners.
CISO / Head of security
Pass your ISO 27001 audit without leaking source code
Hand your auditor a single HTML with the ISO 27001 Annex A matrix pre-filled — 93 controls, ticked or flagged with the offending file:line. Zero outbound calls, zero data-processing agreement. Your auditor stops asking where your source code is stored.
Internal audit / pentest team
Run repeatable audits across multiple internal projects
Audit a dozen internal repos with the same binary — same rule set, same report layout, same baseline comparison. Add your in-house standards as custom .sca rules. Each engagement produces a self-contained HTML you can attach to the audit binder.
Compliance officer
Automate ASVS / NIST CSF / CycloneDX in one HTML
OWASP ASVS v5.0.0 (348 verifications), NIST CSF 2.0 (108 subcategories), and a CycloneDX 1.5 SBOM — all generated from the same scan. Save roughly two days per audited repo that your verifier no longer maps manually.
How We Compare
See how StaticCodeAudit stacks up against typical static analysis tools.
| Capability | StaticCodeAudit | Typical SAST Tools |
|---|---|---|
| Multi-language SAST | 698 rules, 8 languages | Mono-language |
| 100% Offline | ✓ | Rare |
| Zero Dependencies | ✓ | pip / npm / Go |
| Standalone HTML Reports | 12+ charts, printable | Server-based |
| White-Label Branding | Free | Paid |
| Reports in 4 Languages | FR/EN/ES/DE | ✗ |
| Historical Comparison | 10 snapshots (configurable) | Cloud only |
| SARIF Export | ✓ | ✓ |
| SBOM Generation | CycloneDX 1.5 | Limited |
| ISO 27001 Compliance | 93 Annex A controls | ✗ |
| OWASP ASVS v5.0.0 | 348 requirements, 17 chapters | ✗ |
| CI/CD Workflow Audit | 8 rules GHA + GitLab | Specialized tools |
| Installation Required | None | pip / npm / Go |