OpenText Static Application Security Testing (Fortify)
Find and fix security issues early with industry-leading accuracy
OpenText recognized as a Customers' Choice by Gartner®Get the report
Automate security in the CI/CD pipeline
Why OpenText Static Application Security Testing?
Find critical vulnerabilities others miss. OpenText SAST integrates with GitHub, GitLab, Jenkins, Azure DevOps, VS Code, Eclipse, and more to secure code early while keeping developers moving fast.
- 1,495+
vulnerability categories assessed
Across 33+ languages and more than one million individual APIs. - 350+
frameworks supported
Providing unparalleled breadth and flexibility, ensuring comprehensive security coverage across diverse development environments. - 94%
of OpenText users agree
OpenText Static Application Security Testing helps them improve their application security program.
See what customers are saying
Integrating [OpenText SAST] has reduced the efforts required for code review, and the quality it provides is better than other market tools.
Automating our security testing with [OpenText], we've covered almost 100 percent of our CI/CD pipelines, which amount to several tens of thousands, with SAST scans.
By integrating [OpenText SAST] into our CI/CD pipelines, we automate security testing and identify vulnerabilities early, reducing remediation costs and accelerating secure software delivery.
…our testing efforts have been easier to quantify and manage both for first-time scans and periodic scans of software modules (at the review level when after developer teams turn the FPRs in).
[OpenText] helped us in finding vulnerabilities in our developer's code. The recommendation for each finding helped our developer to fix their code quickly. This will help secure the products we publish.
Use cases
OpenText SAST delivers comprehensive security across many development languages while integrating with your dev tool of choice. Balance speed and accuracy with custom scan depth, reduce false positives with AI assistance, and scale dynamically.
-
Scan source code as it’s written to catch vulnerabilities before code is merged or released. Find issues in the developer IDE or pull requests before merge. Fixing issues early drastically reduces remediation cost and prevents security debt from accumulating.
-
Embed SAST into DevOps pipelines to automatically block or flag insecure code at each build or deploy stage. This ensures security keeps pace with agile development and doesn’t slow down release velocity.
-
Enforce secure coding practices and detect violations of compliance frameworks like OWASP Top 10, NIST, PCI-DSS, ISO 27001, and more with policy-based scan enforcement and reporting that reduces the risk of audits, fines, or reputational damage from non-compliance.
-
Apply consistent security scanning across both legacy stacks and modern architectures (e.g., microservices, APIs, containers). Static analysis extends to mobile platforms, REST APIs, and modern interfaces. This serves enterprises running hybrid environments that need full-stack security coverage.
-
Use centralized dashboards and customizable reporting to track findings, remediation progress, and team performance to give security leaders the visibility they need to manage risk and communicate status to management and dev teams.
-
Offer actionable guidance, IDE integrations, and in-context remediation advice to help developers fix vulnerabilities faster. Reduce friction between security and dev teams, improve fix rates, and encourage secure coding habits.
Key features
OpenText SAST delivers enterprise-grade code security with AI-powered analysis, cloud-native support, and flexible deployment to help organizations reduce risk, streamline compliance, and build secure software at scale.
Comprehensive language and framework coverage
Supports 33+ languages, 350+ frameworks, and detection of over 200+ types of secrets in source code. Enables consistent, comprehensive security testing across your entire codebase.
Flexible deployment options
Includes options such as the SaaS-based OpenText™ Core Application Security Testing platform, private hosted, which combines SaaS and on-premises features, and off-cloud, which offers full control over the application security testing solution.
Integrated infrastructure-as-code (IaC) scanning
Provides best-in-class IaC and app security scanning in one platform, supporting Docker®, Kubernetes®, and serverless, all powered by a single core engine.
AI-powered auditing and remediation
Accelerates auditing and vulnerability detection, paired with automated code fixes suggestions for SAST vulnerabilities, using OpenText™ Application Security Aviator™, accessible via SaaS and off-cloud.
Next-gen SAST engine
Offers coverage across 33+ languages, 1,495+ vulnerability categories, 350+ frameworks, and over 1 million APIs.
Comprehensive language and framework coverage
OpenText SAST provides accurate support for 33+ major languages and their frameworks, with agile updates backed by the industry-leading Software Security Research (SSR) team
SAP ABAP
Action Script
Angular
Apex
Microsoft ASP
Bicep
CSharp
C++
COBOL
Cold Fusion
Docker
Go Lang
HTML5
Java
Java Script
JSON
JSP
Kotlin
MXML
.Net
.NETCore
PL/SQL
Python
Ruby
Scala
Swift Trans
T-SQL
Terraform
Type Script
Microsoft Visual Basics
Visual Basic
Windows Mobile
XML
YAMLAccelerate the value of OpenText Static Application Security Testing
Deployment
OpenText offers deployment choice and flexibility for OpenText Static Application Security Testing.
-
Run anywhere and scale globally in the public cloud of your choice
OpenText Public Cloud (Multi-Tenant SaaS)
-
Extend your team
Off Cloud, on-premises software, managed by your organization or OpenText
-
Accelerate cloud strategies with OpenText cloud experts
OpenText Private Cloud (Single Tenant) on OpenText Cloud, AWS, GCP, or Azure
-
Develop, connect and extend your Information Management capabilities
API from OpenText Developer Cloud
Professional Services
OpenText Professional Services combines end-to-end solution implementation with comprehensive technology services to help improve systems.
-
Get a trusted partner to guide your information management path
Your journey to success
-
Accelerate your information management journey
Consulting Services
-
Propel your business into the future with modern solutions
NextGen Services
-
Unlock the full potential of your information management solution
Customer Success Services
Partners
OpenText helps customers find the right solution, the right support, and the right outcome.
-
Search OpenText's Partner directory
Find a Partner
-
Explore OpenText's Partner solutions catalog
Application Marketplace
-
Industry-leading organizations that enhance OpenText products and solutions
Strategic Partners
Communities
Explore our OpenText communities. Connect with individuals and companies to get insight and support. Get involved in the discussion.
-
Explore ideas, join discussions, and network
OpenText community
OpenText Static Application Security Testing resources
OpenText Static Application Security Testing (SAST)
Read the data sheetSupport and documentation
View the documentationKnowledge base
View the knowledge base portalOpenText Static Application Security Testing (SAST)
Read the data sheetSupport and documentation
View the documentationKnowledge base
View the knowledge base portal-
Static application security testing (SAST) analyzes application source code, bytecode, or binaries to detect security vulnerabilities during development. Identifying risks like early in the software development lifecycle (SDLC), makes remediation faster and less expensive.
-
OpenText SAST is a static analysis solution supporting 33+ programming languages and integrating with developer tools, CI/CD pipelines, and ticketing systems. It combines deep static analysis with vulnerability coverage mapped to standards such as OWASP Top 10, CWE, and NIST.
-
SAST helps developers embed security into early software development. OpenText SAST integrates with IDEs (e.g., Visual Studio®, IntelliJ®), build tools (e.g., Maven, Gradle), and CI/CD platforms (e.g., Jenkins™, Azure DevOps®), allowing security scans to run automatically during coding and builds.
-
While SAST primarily analyzes proprietary code, OpenText complements it with Software Composition Analysis (SCA) tools that identify risks in open-source libraries, such as known vulnerabilities, outdated components, and licensing issues.
-
OpenText SAST supports web, mobile, desktop, and cloud-native applications across a wide range of languages including Java, .NET, JavaScript, Python, C/C++, Swift, Kotlin, Go, and more. It also handles infrastructure-as-code (IaC), containers, and APIs.
-
OpenText SAST provides out-of-the-box support for security and compliance frameworks such as OWASP Top 10, PCI DSS, NIST 800-53, and ISO 27001. The platform delivers policy-based scan management, audit-ready reporting, and dashboards that demonstrate risk posture and remediation progress.
-
OpenText Static Application Security Testing offers flexible deployment on-premises for full control and customization, as hosted and managed scanning infrastructure where your team submits code remotely, and as a fully managed experience (OpenText™ Core Application Security).
-
OpenText SAST includes support for popular IDEs like Visual Studio, IntelliJ, and Eclipse®, as well as CI/CD tools such as Jenkins, GitHub Actions®, GitLab CI®, Azure DevOps, and Bamboo™. The platform also integrates with issue tracking systems like Jira®, enabling automatic ticket creation.
Smarter, faster AppSec
Turn SAST findings into learning, helping developers quickly remediate vulnerabilities.
Read the blog
Why SAST false positives are inevitable
Explore why false positives in SAST tools occur, the trade-offs involved, and how to manage them.
Read the blog
Why SAST + SCA is the key to protecting your organization in 2025
Software supply chain risk continues to rise—156% year-over-year increase in malicious attacks.
Read the blog
Customers’ Choice
OpenText recognized for Application Security Testing on Gartner® Peer Insights™︎.
Read the blog
Generative AI: A double-edged sword for application security
IDC predicts that by 2026, 40% of net-new applications will incorporate AI.
Read the blog
OpenText named a Leader in Critical Capabilities by Gartner
OpenText is a Leader in SAST and DAST, and one of the only vendors that moved up in the quadrant.
Read the blogWhat is static application security testing (SAST)
Learn moreCybersecurity in a Web 3.0 world
Learn more5 reasons why SAST + DAST with OpenText makes sense
Learn moreOpenText SAST tools
View the community pageWhat is static application security testing (SAST)
Learn moreCybersecurity in a Web 3.0 world
Learn more5 reasons why SAST + DAST with OpenText makes sense
Learn moreOpenText SAST tools
View the community page-
OpenText™ Core Application Security
Unlock security testing, vulnerability management, and tailored expertise and support
-
OpenText™ Dynamic Application Security Testing
Scan, test, and identify security vulnerabilities in apps and services
-
OpenText™ Application Security Aviator
Secure smarter, not harder with AI code analysis and code fix suggestions
-
OpenText™ Core Software Composition Analysis
Take full control of open source security, compliance, and health
