SAST (Static Application Security Testing)
Semgrep (Python, JavaScript, Java, Go & more) + правила: XSS / DOM-based XSS
**Horusec (for C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, and Nginx)**
Bandit (for Python)
**Kubesec (for Kubernetes)**
**Bearer (for JavaScript, TypeScript, Ruby, and Java stacks)**
Mate (for C/C++)
DAST (Dynamic Application Security Testing)
Untrusted Types / PostMessage tracker
Info
https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools