← CI/CD Tools Universe


Best End-to-End

  • Imperva


    RASP Attack Detection is designed for the application runtime environment, with the goal of identifying and preventing attacks as they occur. Vulnerability detection is focused on Clickjacking, HTTP Method Tampering, Software Supply Chain attacks, and more. Injections include Command injection, Database Access Violations, and others.  Other security risk checks include Logging Sensitive Information and Unauthorized Network Activity.

    Visit Website
  • Contrast Security

    Contrast Security

    Offers a platform that covers the SDLC from development to production environments, security checks begin by analyzing developer code (Contrast Scan) and open source scanning (Contrast SCA), followed by an assessment phase (Contrast Assess) during functional testing. Cloud native apps are then scanned (Contrast Serverless) and scanning continues into the production phase (Contrast Protect).

    Visit Website
  • Synopsys


    (SAST, DAST, IAST, SCA) is designed to build security into all phases of the SDLC.  Features include architecture risk analysis which helps developers identify and fix defects and vulnerabilities while they code.  Synopsys Intelligent Orchestration moves security checks into CI pipelines. This feature allows organizations to define risk policies, run relevant analyses and get prioritized results. The Coverity SAST solution delivers scalable static analysis that detects security weaknesses in code, ensuring that code meets security standards. BlackDuck, which offers a comprehensive database of open source components, vulnerability, and license information was acquired by Synopsys in 2017. With it, users reduce security and license compliance risks while automatically enforcing existing open source policies and processes.

    Visit Website
  • Threat Modeler


    Helps organizations reduce threat drift from code to cloud by delivering continuous visibility into app vulnerabilities from development to deployment. ThreatModeler provides visualizations of the attack surfaces and recommendations for fixes. Additionally, it provides automated threat modeling for mobile and IoT application design. CloudModeler™ helps scale modeling for AWS while measuring drift.

    Visit Website
  • Veracode


    (SAST, DAST, IAST, SCA) Veracode provides a fully integrated solution including SAST, DAST, IAST, and SCA. In addition to continuous security scanning, Veracode provides AppSec learning tools for developers. Veracode governance tools also help organizations to manage risk-related reporting and compliance.

    Visit Website
  • Data Theorem

    Data Theorem

    Named a Visionary in the Gartner Magic Quadrant for Application security testing, Data Theorem provides both SAST and DAST solutions. This tool provides a continuous inventory of apps, APIs and shadow assets, and allows the creation of custom policies for different asset groups. Application and cloud data are checked for compliance before moving into production. Auto-Remediation is offered with rollback opportunities.

    Visit Website
  • HCL AppScan

    HCL (DAST)

    AppScan Standard is a DAST tool with an automated vulnerability scanning engine. Once identified, security risks are accompanied by fix recommendations. Continuous testing and risk assessment applies to both web services and apps.

    Visit Website


    This tool checks open source code against a vulnerability database. Offerings also include IDE integration and license and vulnerability identification (Docker and OCI images). New vulnerabilities trigger alerts in Slack, Jira or email. The API provides real-time security status.

    Visit Website
  • Sonarqube


    Offering a solution that improves code quality security by checking code against automated SCA rules, SonarQube benefits include catching bugs on undefined behavior and providing fixes for application security issues. This tool is designed to catch bugs that prevent undefined behavior from impacting end users. SonarQube covers a wide range of programming languages.

    Visit Website
  • OWASP Threat Dragon

    OWASP Threat Dragon

    Utilizing STRIDE  (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of Privilege), this tool provides free, open-source threat modeling. Benefits include building security checks early in the application design process, identifying requirements and user stories, and creating consistent security design patterns. Easy to use UX.

    Visit Website
  • IriusRisk


    A threat modeling provider, IrisRisk provides a diagramming tool and embedded questionnaires that allow users to define their architecture. Depending on the architecture, a list of threats and fixes is generated. Selected countermeasures sync with issue trackers such as Jira Cloud. Threat modeling continues in real-time thereafter with fixes inserted into workflows. Key benefits include an automation engine, countermeasure recommendations, and integration with issue trackers. Provides a security approach to governance and compliance.

    Visit Website
Is an important tool missing? Please let us know Submit a tool
CI/CD Tools eGuide