100 % Compliance Coverage
Every one of the 697 builtin rules is mapped to a published standard. No rule ships without a traceability anchor.
In addition, ISO/IEC 27001:2022 (93 controls), OWASP ASVS v5.0.0 (348 requirements) and NIST CSF 2.0 (108 sub-categories) are matrixed in every report. Findings carry their compliance metadata in JSON, SARIF (rule.properties.tags) and HTML.
Supported Standards
Every finding is mapped to one or more international standards.
OWASP Foundation · USA
OWASP Top 10
The 10 most critical web app security risks. SCA tags each finding with its Top 10 category so security teams instantly see the risk class.
MITRE · USA
CWE
MITRE's catalog of 1 000+ software weaknesses. Standardized IDs (e.g., CWE-89 for SQL injection) for unambiguous comparison across tools.
W3C · International
WCAG 2.1
W3C accessibility standard. Required by EU/US public sectors and enforced by the European Accessibility Act 2025 for private sector.
European Union · 2018
GDPR / RGPD
EU personal-data protection regulation. SCA flags hardcoded personal data and missing encryption on sensitive fields. Fines reach 4% of global revenue.
OWASP Foundation · USA
OWASP CI/CD
Top 10 risks specific to CI/CD pipelines. SCA scans GitHub Actions and GitLab CI for unsafe patterns — pipelines have direct access to secrets and production.
OASIS / OWASP · International
SARIF & SBOM
Industry-standard exports. SARIF feeds GitHub Code Scanning and GitLab SAST; SBOM CycloneDX is required by US Executive Order 14028 for federal contractors.
ISO + IEC · International
ISO 27001
ISMS control catalog (93 Annex A controls). Often required by enterprise contracts for certification.
OWASP Foundation · USA
OWASP ASVS
Application security verification checklist (348 requirements). What auditors run on apps to verify security.
NIST · USA
NIST CSF 2.0
Cybersecurity outcomes across 6 functions. Required for US federal contractors and used in finance/healthcare.
ISO/IEC 27001:2022 — Annex A
ISO + IEC · International
ISO/IEC 27001:2022 — Annex A
Compliance matrix mapping 157 detection rules to 93 Annex A controls.
ISO/IEC 27001 certification is a contractual requirement for many enterprise clients and the de-facto international ISMS standard. The Annex A control catalog gives auditors a checklist of safeguards. SCA pre-fills the technological controls (A.8) visible in source code — your auditor focuses on processes, not code review.
SAST tools primarily cover technological controls (A.8). The compliance matrix indicates which controls are testable by static analysis, not full compliance certification.
All 93 controls — click a theme to expand
Coverage by SAST is intrinsically partial: physical security (A.7) and HR (A.6) controls require organizational measures outside the scope of static analysis. SCA covers what code can prove.
OWASP ASVS v5.0.0
OWASP Foundation · USA
OWASP ASVS v5.0.0
Compliance matrix mapping 106 detection rules to 348 ASVS requirements across 17 chapters.
Where the OWASP Top 10 lists the most common risks, ASVS lists the verifications an auditor performs on an application. It's structured by chapter (V1 architecture, V3 sessions, V6 cryptography…) and by level (1, 2, 3). SCA automates Level-1 input/output checks, freeing verifiers to focus on threat-modelling and design review.
ASVS v5.0.0 defines 348 requirements across 17 chapters. SAST tools can verify ~24% of these — runtime, infrastructure and procedural requirements need separate assessment.
NIST CSF 2.0
NIST · USA
NIST CSF 2.0
NIST Cybersecurity Framework 2.0 — coverage of subcategories detectable by static analysis.
NIST CSF 2.0 is the de-facto cybersecurity framework for US federal contractors and is increasingly adopted in finance and healthcare. Unlike ISO 27001 (which lists controls), CSF lists outcomes — what your security program must achieve. SCA covers the technical subcategories under Protect, Detect, and Identify; the Govern, Respond, and Recover functions are organizational and outside SAST scope.
Coverage focuses on technical subcategories detectable by SAST. Respond (RS) and Recover (RC) functions are organizational — outside the scope of static analysis.
Authoritative sources
Direct links to every standards body referenced on this page.