ThunderScan® Application Security


Source Code Security Analysis (SAST)

DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. ThunderScan® is easy to use, requires almost no user input and can be deployed during or after development with easy integration into your DevOps environment and CI/CD pipeline. Our SAST solution provides an excellent way to automate code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.

Find out why large enterprises are replacing their current SAST solutions with DefenseCode ThunderScan® SAST.

With DefenseCode ThunderScan® SAST it is possible to scan millions of source code lines across 29 different programming languages and various programming frameworks within hours or even minutes. Scalability combined with repeatability of automation provides an easy and painless way to introduce security into your DevOps for organizations ranging from small development teams up to the largest enterprises.

ThunderScan® includes a Dependency Check component (Software Composition Analysis – SCA) that will detect publicly disclosed vulnerabilities contained within a project’s dependencies with associated CVE entries.

Application source code security analysis has proven consistently to be the  most comprehensive way to ensure that your application is free of security vulnerabilities (SQL Injections, Cross Site Scripting, Path/Directory Traversal, Code Injection, and many more.).

With ThunderScan® SAST it is very easy to meet the compliance standards requirements such as PCI-DSS, SANS/CWE Top 25, OWASP Top 10, HIPPA, HITRUST or NIST.

ThunderScan® SAST easy to use and very powerful REST API  allows you to customize source code scanning and scale across large number of scanning agents.

DefenseCode ThunderScan® has repeatedly recognized its effectiveness by discovering critical vulnerabilities in well known open source applications.

ThunderScan® performs fast and accurate analysis of large and complex source code projects delivering precise results and low false positive rate.


ThunderScan® scans for more than 70 different vulnerability types (including OWASP Top 10, SANS 25 and CWE) in desktop, web and mobile applications developed on various platforms using different development environments and frameworks. ThunderScan® includes a Dependency Check component (Software Composition Analysis - SCA) that will detect publicly disclosed vulnerabilities contained within a project’s dependencies with associated CVE entries.


  • SQL Injection
  • Command Injection
  • Code Injection
  • XPath Injection
  • LDAP Injection
  • XML External Entity (XXE) Injection
  • Path/Directory Traversal
  • Deserialization of Untrusted Data
  • Server Pages Execution
  • Server Side Request Forgery
  • PHP File Inclusion
  • Buffer Overflow
  • Integer Overflow
  • Arbitrary Library Injection
  • Use After Free
  • Double Free
  • Time of Check Time of Use
  • Uncontrolled Format String
  • Out of Buffer Bounds Read
  • Out of Buffer Bounds Write
  • Insecure Data Storage
  • Insufficient Transport Layer Protection
  • Shared Preferences Usage
  • Man-in-the-Middle Attack


  • File Manipulation
  • Cross-Site Scripting
  • DOM Based Cross-Site Scripting
  • HTTP Header Injection
  • HTTP Response Splitting
  • Unvalidated/Open Redirect
  • Regex Denial of Service (ReDoS)
  • Sleep Denial Of Service
  • System Properties Change
  • Session Fixation
  • Session Poisoning
  • Integer Underflow
  • Uncontrolled Memory Allocation
  • Intents Usage
  • Arbitrary Code Injection
  • Application Configuration
  • Trust Boundary Violation
  • Location Information


  • Hardcoded Password/Credentials
  • Secret Key In Source
  • Heap Inspection
  • Error Messages Information Exposure
  • Log Forging
  • Log Messages Information Leak
  • Console Output
  • Weak Encryption Strength
  • Weak Hash Strength
  • Weak Pseudo-Random
  • Arbitrary Server Connection
  • Mail Relay
  • File Upload
  • Cookie Injection
  • Cookie Without 'HttpOnly' Flag
  • Dangerous File Extensions
  • Dangerous HTML Embedded
  • Hidden HTML Input
  • FTP Command Injection
  • Mass Assignment
  • Memcache Injection Vulnerability
  • Sensitive Database Data Modification
  • Symlink Vulnerability
  • System Properties Disclosure
  • Trust Boundary Violation
  • Divide By Zero
  • Use of Inherently Dangerous Function
  • Use of Insecure Functions
  • Miscellaneous Dangerous Functions
  • WebView Implementation
  • External URL Access
  • External Data In SQL Queries

Integrates with your development environment


icon icon icon


icon icon icon icon icon


icon icon icon

Supported Languages:

icon icon icon icon icon icon icon icon icon icon icon icon icon
icon icon icon icon icon icon icon icon icon icon icon icon
icon icon icon icon


  • C#
  • Java
  • Kotlin
  • PHP
  • Python
  • Ruby
  • Go
  • JavaScript / Node.js
  • TypeScript
  • Groovy
  • C/C++
  • VB.Net
  • Visual Basic
  • VBScript
  • ASP Classic
  • iOS Objective C
  • Swift
  • Android Java
  • ColdFusion
  • ABAP
  • Salesforce Apex
  • ASP.Net
  • JSP
  • SQL
  • XML
  • Xamarin


  • Telerik
  • Hibernate.Net
  • Entity Framework
  • JSP
  • J2EE
  • Spring
  • Spring Boot
  • Struts
  • JAX-RS
  • JAX-WS
  • Java Faces
  • Java Beans
  • EJB
  • Hibernate
  • WebSockets
  • Zend
  • Kohana
  • Cake PHP
  • Symfony
  • Laravel
  • Yii
  • Codeigniter
  • Phalcon
  • Flask
  • Django
  • Ruby on Rails
  • React
  • Angular
  • Node.js
  • JQuery
  • ExpressJS
  • Knockout
  • Koa.js
  • Grails
  • Gorilla
  • Revel
  • Gin
  • Echo
  • Beego
  • IBM DB2
  • BSP
  • Bottle
  • Xamarin

Key Benefits

  • Automate security vulnerability testing
  • Fast, accurate and actionable results
  • Seamless DevOps and CI/CD integration
  • Powerful REST API interface
  • Scalability and cross-platform support
  • Low false positive rate
  • Supports a wide range of programming languages
  • On-premise solution
  • Standard Compliance reports