Abstract
Context Static Application Security Testing (SAST) tools play an important role in finding software vulnerabilities during the first phase of the software security testing pipeline and development. Yet, the aptness of these tools to find vulnerabilities and their incorporation into Continuous Integration/Continuous Deployment (CI/CD) pipelines is an open research area. Objective: This research provides a systematic analysis and comparison of popular SAST tools (i.e., SonarQube, Checkmarx, and Bandit) based on their capability in vulnerability detection within CI/CD pipelines. Methodology: A systematic literature review (SLR) process was performed, making use of the methodology by Kitchenham and Charters [12]. The review process consisted of six stages: 1) defining research questions, 2) developing a search strategy, 3) selecting relevant studies, 4) assessing study quality, 5) extracting data, and 6) synthesizing the findings. Three performance metrics, including recall, precision, false positive rate, and detection accuracy, were used to evaluate the tool's performance. Results: Results revealed that SonarQube was popular and showed good performance on Java applications, Checkmarx had a higher precision but also generated more false positives, and Bandit was a highly effective tool for Python security flaws. The OWASP Benchmark was most commonly used but lacked diversity due to its real-world, imbalanced nature, whereas the Juliet Test Suite offered more extensive and exhaustive coverage. In terms of reporting evaluation metrics, the True Positive Rate (TPR) and False Positive Rate (FPR) were the most commonly used, whereas the Youden Index (YI), despite being less commonly used, provided a more balanced measure of performance. Conclusion: The report highlights the necessity of employing a holistic approach to vulnerability detection, demonstrating that no one SAST solution is best at everything. Further studies are to target these tools to improve precision and recall to reduce false positives and develop their combinatorial treatment within the current DevSecOps flow to enhance software security.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025 |
| Editors | Muhammad Ali Babar, Ayse Tosun, Stefan Wagner, Viktoria Stray |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 162-168 |
| Number of pages | 7 |
| ISBN (Electronic) | 9798400718328 |
| DOIs | |
| State | Published - 23 Dec 2025 |
| Event | 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025 - Istanbul, Turkey Duration: 17 Jun 2025 → 20 Jun 2025 |
Publication series
| Name | Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025 |
|---|
Conference
| Conference | 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025 |
|---|---|
| Country/Territory | Turkey |
| City | Istanbul |
| Period | 17/06/25 → 20/06/25 |
Bibliographical note
Publisher Copyright:© 2025 Copyright held by the owner/author(s).
Keywords
- CI/CD
- Security Code Review
- Security Testing Tools
- Software Vulnerability Detection
- Static Application Security Testing (SAST)
ASJC Scopus subject areas
- Software