With regards to including security testing into continuous delivery pipeline you can consider using i.e. Apache JMeter (jmeter.apache.org/) - free and open source multiprotocol load testing tools. JMeter is mostly designed for performance testing, however it is very flexible and you can utilize it for security testing as well. See www.blazemeter.com/blog/security-testing-with-jmeter-learn-how guide for more details on several use cases
Search for a product comparison in Static Application Security Testing (SAST)
Appvance offers App-Pen as part of the CI/CD/DevOps flow of functional, performance and security tests. The App-Pen can be automatically driven by existing functional scripts, covering more of the application without writing any code. www.appvance.ai/
Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: January 2026.
Director Of Public Relations at a tech vendor with 201-500 employees
Vendor
Feb 22, 2018
[Full disclosure - I work at Parasoft]
Parasoft has static code analysis tools for C, C++, Java and .NET. There are lightweight engines for them that will easily fit into your continuous integration setup like Jenkins, etc. There is also reporting and analytics component called DTP that will accept data from the engines mentioned above as well as 3rd party tools and really anything in your CI toolchain. DTP has special reports for CWE compliance that show you findings based on the "technical impact" that is part of CWSS and CWRAF. This makes it really easy to focus on what matters most for you.
Sr. Director, Cloud Platform Engineering at a tech vendor with 5,001-10,000 employees
Real User
Top 20
Feb 21, 2018
You can also add a vulnerability scan to your CI/CD pipeline with Qualys, either on-site or in the cloud. It's a non-trivial task to filter out the false-positives, but once you're able to account for all the output in your baseline, you can quickly focus in on deltas from build to build. A new Qualys profile (I think they're called) with new vulnerabilities will generate a barrage of new complaints to assess, but that's A Good Thing(tm). Pre-testing every push to Prod will make your auditors happy, too.
Senior Solution Architect at a computer software company with 10,001+ employees
Vendor
Feb 21, 2018
[Full disclosure - I work for Fortify Software]
Fortify SCA (Static Code Analyzer) can support your DevOps system in a variety of ways, so the choices are all yours, which can make this tough. I just wanted to share some of our On-premise and On-line options below to get you started. Bear in mind that the normal process is to test code with SCA, then upload and review the results in Fortify SSC Server, then publish the annotated/prioritized results to your connected defect system (ALM, Octane, Jira, Bugzilla, TFS, et al). We have sped up the manual process of issue review with our included Audit Assistant feature.
* Fortify On Demand (FOD:) SaaS offering where our staff run your scans, similar to Veracode's off-premise offering. Lots and lots of plugins included, plus a Swagger-based RESTful API.
* Various CLI tools and a Swagger-based RESTful API for SSC Server....
SAST is a method designed to detect security vulnerabilities within an application's source code. By analyzing the code structure, SAST identifies potential flaws early in the development cycle, promoting secure coding practices and reducing the risk of security issues in production.
Unlike dynamic testing that examines an application during runtime, SAST operates on static code analysis. This early detection capability is crucial as it enables developers to address vulnerabilities before...
It depends on your requirements, the list of security testing tools you can find at www.owasp.org/index.php/Appendix_A:_Testing_Tools.
With regards to including security testing into continuous delivery pipeline you can consider using i.e. Apache JMeter (jmeter.apache.org/) - free and open source multiprotocol load testing tools. JMeter is mostly designed for performance testing, however it is very flexible and you can utilize it for security testing as well. See www.blazemeter.com/blog/security-testing-with-jmeter-learn-how guide for more details on several use cases
Security starts way before testing actually. Make sure security is already part of the way you develop.
We use an external bureau that does our security tests. That guarantees us an independant view of our security.
Appvance offers App-Pen as part of the CI/CD/DevOps flow of functional, performance and security tests. The App-Pen can be automatically driven by existing functional scripts, covering more of the application without writing any code. www.appvance.ai/
I recommend the MicroFocus Fortify SCA tool.
checkout this DevOps friendly , SaaS security offering: software.microfocus.com/en-us/products/application-security-testing/overview --> you will like what you see..
Synopsys, not an open source but high quality
Fortify
fortify-maven.blogspot.ie/2016/07/how-to-configure-fortify-sca-with.html
[Full disclosure - I work at Parasoft]
Parasoft has static code analysis tools for C, C++, Java and .NET. There are lightweight engines for them that will easily fit into your continuous integration setup like Jenkins, etc. There is also reporting and analytics component called DTP that will accept data from the engines mentioned above as well as 3rd party tools and really anything in your CI toolchain. DTP has special reports for CWE compliance that show you findings based on the "technical impact" that is part of CWSS and CWRAF. This makes it really easy to focus on what matters most for you.
You can also add a vulnerability scan to your CI/CD pipeline with Qualys, either on-site or in the cloud. It's a non-trivial task to filter out the false-positives, but once you're able to account for all the output in your baseline, you can quickly focus in on deltas from build to build. A new Qualys profile (I think they're called) with new vulnerabilities will generate a barrage of new complaints to assess, but that's A Good Thing(tm). Pre-testing every push to Prod will make your auditors happy, too.
[Full disclosure - I work for Fortify Software]
Fortify SCA (Static Code Analyzer) can support your DevOps system in a variety of ways, so the choices are all yours, which can make this tough. I just wanted to share some of our On-premise and On-line options below to get you started. Bear in mind that the normal process is to test code with SCA, then upload and review the results in Fortify SSC Server, then publish the annotated/prioritized results to your connected defect system (ALM, Octane, Jira, Bugzilla, TFS, et al). We have sped up the manual process of issue review with our included Audit Assistant feature.
* Maven, ANT, Jenkins, TFS, fortify CloudScan, build-time scanning = YES
* VSTS (BYOLicense): marketplace.visualstudio.com/items (For SCA SAST and also WebIsnpect DAST)
* Bamboo: marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview
* Fortify Marketplace lists numerous add-ons: marketplace.microfocus.com/fortify
Example: FortifyBugTrackerUtility: marketplace.microfocus.com/fortify/content/fortify-bugtracker-utility
* Fortify On Demand (FOD:) SaaS offering where our staff run your scans, similar to Veracode's off-premise offering. Lots and lots of plugins included, plus a Swagger-based RESTful API.
* Various CLI tools and a Swagger-based RESTful API for SSC Server....
* Documentation: community.softwaregrp.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation
[Full disclosure - I work for Fortify Software]
Using "Microfocus (HPE) Fortify SCA" with integrated "VSTS/TFS".
But you need take some effort to implement your CI/CD pipeline with custom scripts (autogenerated bat files e.t.c).
The only DevOps friendly WAF in the market is from Wallarm (wallarm.com ), it meets the requirement from DevOps best practices
It has a real hybrid architecture and has integrated DAST scanner and active treath verification.
Consider using either
1) veracode application security
2) HPE Security Fortify Application Defender