💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

원문 렌더가 준비되기 전까지 텍스트 가이드로 표시합니다.

Prologue — "The era of one security tool covering everything is over"

If you asked "which static analysis tool should we use?" around 2018, the answer was usually one of two: SonarQube if you wanted open source, Checkmarx or Veracode if you had an enterprise budget. That was basically it. You bolted one SAST onto CI, a human triaged false positives every quarter, the operator received a PDF report, and developers almost never saw it.

By May 2026, that picture has shattered. A typical company's security pipeline now looks something like this:

- **SAST in PRs** — Semgrep or CodeQL.

- **Dependency scan (SCA)** — Snyk Open Source, Endor Labs, Socket.dev, or Dependabot.

- **Secret scan** — GitGuardian or Cycode in a git push pre-receive hook.

- **Container image scan** — Trivy or Snyk Container, right after build.

- **SBOM generation** — SPDX or CycloneDX, attached to build artifacts.

- **Runtime DAST** — OWASP ZAP or Burp Suite, run nightly against staging.

- **Privacy scan** — Bearer tracking PII flows.

- **An ASPM tying it all together** — Apiiro, Cycode, or Aikido prioritizing across a single screen.

This post inventories where each of those tools stands in 2026, what they do well, what they fail at, and how to pick. Not just a list — we follow the four currents that have shaken the market between 2024 and 2026: Pro engines, reachability, AI autofix, and EU CRA.

1. The 2026 code security map — SAST / DAST / SCA / Secrets / Container

Big picture first. Code security tools sort into five axes.

| Category | What it looks at | Representative tools |

| --- | --- | --- |

| SAST (Static App Security Testing) | Source code vulnerable patterns, dataflow | Semgrep, CodeQL, Snyk Code, SonarQube, Checkmarx, Veracode |

| DAST (Dynamic App Security Testing) | Running app, HTTP / surface vulnerabilities | OWASP ZAP, Burp Suite, Invicti |

| SCA (Software Composition Analysis) | Known CVEs in OSS dependencies | Snyk Open Source, Endor Labs, Socket.dev, Trivy, Dependabot |

| Secrets | API keys and tokens in code or git history | GitGuardian, TruffleHog, Cycode, Gitleaks |

| Container / IaC | Container images, Terraform, K8s manifests | Trivy, Snyk Container, Aikido, Checkov |

Two new categories have wedged in between 2024 and 2026:

- **ASPM (Application Security Posture Management)** — a single screen that prioritizes findings from multiple tools. Apiiro, Cycode, Aikido are typical.

- **Privacy / PII scanning** — tracking what personal data the code touches. Bearer leads.

And the trend in 2026 is unmistakable. **"One platform wraps multiple tools."** Snyk sells Code + Open Source + Container + IaC as a bundle, Aikido was born all-in-one, and Semgrep added Supply Chain and Secrets on top of its Pro engine. You either start as a single-point tool and become an ASPM-shaped platform, or you start as a platform.

2. Semgrep — the de facto OSS SAST and Pro engine

Semgrep emerged around 2020 using a simple model: pattern matching on the AST. It looks like grep but reads the syntax tree. That simplicity became a weapon, and by 2026 it is essentially the OSS SAST standard.

Core concepts

- **Rule** — a YAML matching pattern. Not regex, but code structure.

- **Semgrep CE (Community Edition)** — free OSS, single-file analysis.

- **Semgrep Pro engine** — paid; interprocedural dataflow, cross-class tracking.

- **Semgrep Supply Chain** — SCA. Reachability-based prioritization of "CVEs actually called."

- **Semgrep Secrets** — secret detection in git history.

Strengths

- Rule writing is dramatically easy — a single YAML file can encode a team rule in under an hour.

- Over 10,000 public community-authored rules.

- Fast CI integration, usually delivering a PR comment in under 5 minutes.

- The Pro engine sharpens dataflow analysis and slashes false positives.

Weaknesses

- The CE alone cannot see across functions, so deep analysis is limited.

- The Pro engine is paid and scales per-seat quickly.

- Weaker than CodeQL for languages like C++, Swift, Rust.

When to pick it

- Small teams that are OSS-friendly and want to author their own rules.

- Python, JS/TS, Go, Java-heavy codebases.

- Cases where short PR-time feedback loops matter most.

Example Semgrep rule — SQL injection in Flask

rules:

- id: flask-sql-injection

pattern: |

$CURSOR.execute("..." + $VAR + "...")

message: SQL injection via string concatenation

severity: ERROR

languages: [python]

metadata:

cwe: CWE-89

owasp: A03:2021-Injection

Local run

semgrep --config=auto .

In CI

semgrep ci --config=p/owasp-top-ten

The Pro engine goes beyond intra-function analysis: it does interprocedural dataflow and tracks taint through class members. The big difference from CE is whether you can catch "user input that reaches a sink five function hops away."

3. CodeQL — the heart of GitHub Advanced Security

CodeQL was built by Semmle and acquired by GitHub in 2019. Its distinctive model: **convert code into a database** and write queries on top of it. You ask, SQL-style, "find me a code path satisfying these conditions."

Core concepts

- **CodeQL database** — a relational DB built by parsing source. Functions, calls, variables, flows become tables.

- **QL query** — a Datalog-family query language. SAST rules ARE queries.

- **GitHub Advanced Security (GHAS)** — the commercial product that integrates CodeQL into GitHub.

- **Default setup** — enable GHAS and a standard query set automatically attaches to PRs.

Strengths

- Industry-best dataflow precision. Tracks CWE-89, CWE-79 taint flows interprocedurally with high accuracy.

- Broad language support — C/C++, C#, Go, Java/Kotlin, JS/TS, Python, Ruby, Swift.

- Deep GitHub integration. PR blocking, Security tab, automatic linking to GHSA advisories.

- Queries are open. The community can add queries for new CVEs.

Weaknesses

- Not fast. A full scan on a large monorepo takes 30 minutes to several hours.

- Writing queries is hard. What Semgrep YAML takes an hour, CodeQL takes days.

- GHAS is priced for the enterprise (per seat), heavy for small teams.

When to pick it

- Organizations already on GitHub Enterprise.

- Heavy C/C++ or Swift codebases.

- Cases that demand minimal false positives and deep dataflow.

// CodeQL example — Java SQL injection taint flow

module SqlInjectionConfig implements DataFlow::ConfigSig {

predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node n) {

exists(MethodCall mc | mc.getMethod().hasName("executeQuery") |

n.asExpr() = mc.getArgument(0))

}

module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;

from SqlInjectionFlow::PathNode source, SqlInjectionFlow::PathNode sink

where SqlInjectionFlow::flowPath(source, sink)

select sink, source, sink, "SQL injection from $@", source, "user input"

CodeQL's true value: "one query, applied to every GitHub repo." When Log4Shell hit, GitHub shipped a query within 24 hours and it took effect across hundreds of thousands of repos instantly. That kind of scale is hard for anyone else to match.

4. Snyk Code / Snyk Open Source — after the DeepCode integration

Snyk started in SCA (dependency scanning). It expanded into SAST in 2020 by acquiring DeepCode (an ETH Zurich spinoff doing ML-based SAST), and today is a bundled platform of Code + Open Source + Container + IaC.

Core products

- **Snyk Code** — SAST. DeepCode AI engine, ML-learned patterns.

- **Snyk Open Source** — SCA. Dependency CVEs + licenses + reachability.

- **Snyk Container** — container images + IaC.

- **Snyk Cloud** — AWS, Azure, GCP configuration scanning.

Strengths

- Excellent IDE integration. First-class for VS Code, IntelliJ, JetBrains.

- Developer-friendly UX. Clean flow from finding to fix suggestion in one PR.

- Reachability analysis — judges whether a CVE is actually called from your code path.

- DeepCode AI suggests autofixes (Snyk DeepCode AI Fix).

Weaknesses

- Expensive. Especially with Open Source on top, you're in enterprise pricing.

- Limited self-hosting options — mostly SaaS.

- Less freedom to customize rules than Semgrep.

When to pick it

- Startups to mid-sized companies that want "SAST + SCA + Container from one vendor."

- Dev teams that want real-time feedback inside the IDE.

- Organizations comfortable with external SaaS.

Snyk CLI usage

snyk auth

snyk code test # SAST

snyk test # SCA (dependencies)

snyk container test alpine:3 # container

snyk iac test terraform/ # IaC

CI integration (GitHub Actions)

- uses: snyk/actions/setup@master

- run: snyk test --severity-threshold=high

Snyk's big shift was accelerating the DeepCode AI integration in 2024. SAST moved from pattern-based to ML + LLM autofix. Field reports now cite "30 to 40 percent false positive reduction, autofix adoption above 50 percent." That said, the classic ML weakness — "weak explanation of why this is vulnerable" — is also raised as a concern.

5. SonarQube 11 — how the classic evolves

SonarQube has been around since 2008, the static analysis classic. Originally focused on code quality (duplication, complexity, test coverage), it strengthened security rules (SonarSource Security) in the late 2010s and entered the SAST market.

Core concepts

- **SonarQube Server** — self-hosted server. Community / Developer / Enterprise / Data Center editions.

- **SonarLint** — the IDE plugin. Now rebranded as **SonarQube for IDE**.

- **SonarCloud** — managed SaaS.

- **Clean Code** — a new model introduced in 2023. Classifies issues across five attributes.

Strengths

- Self-hosting is standard. Strong in finance and government, where on-prem is required.

- 25+ language support. Wide coverage.

- Quality Gate — a mature workflow that blocks PRs below a threshold.

- Community Edition is free and the features are sufficient.

Weaknesses

- SAST precision is widely considered a notch below Semgrep Pro and CodeQL.

- The UI is classic and heavier compared to modern tools.

- Self-hosting brings operational cost — server, DB, upgrades.

When to pick it

- When you want code quality and security in one tool.

- Regulated industries where self-hosting is mandatory (finance, public sector, healthcare).

- Java- and C#-heavy enterprise codebases.

SonarQube + Maven build

sonar:

image: sonarsource/sonar-scanner-cli

command: >

sonar-scanner

-Dsonar.projectKey=my-app

-Dsonar.host.url=$SONAR_HOST

-Dsonar.login=$SONAR_TOKEN

-Dsonar.qualitygate.wait=true

The core changes in SonarQube 11 (released 2024) are twofold. One is the strengthened Clean Code model — issues are now classified not by simple severity but by attributes (Consistency, Intentionality, Adaptability, Responsibility). The other is AI-assisted code rules — a ruleset that recognizes patterns generated by Copilot was added.

6. Aikido Security — the all-in-one newcomer

Aikido Security is a Belgian startup founded in 2023, raising a Series A of 17M USD in 2024 and a Series B of 50M USD in 2025. It's an all-in-one AppSec platform that grew fast.

What's different

- **All-in-one** — SAST, SCA, IaC, Secrets, Container, Cloud Posture, DAST on one dashboard.

- **Developer-first UX** — ML auto-dedupes false positives and dramatically cuts noise.

- **AI Autofix** — automatically generates fix PRs for findings.

- **Transparent pricing** — published per-seat pricing, easy for small teams.

Strengths

- Setup is genuinely fast. One click of GitHub OAuth and you have a first scan in 5 minutes.

- One screen for SAST + SCA + Container + IaC + Secrets. Zero context switches.

- Friendlier pricing than Snyk and GHAS — free tier viable for small teams.

- AI Autofix adoption is reportedly high. Auto-PRs for simple dependency upgrades.

Weaknesses

- Three years young, so some rulesets are shallower than Snyk and Semgrep Pro.

- Self-hosting is only on the enterprise tier.

- Deep dataflow in big monorepos isn't as strong as CodeQL.

When to pick it

- Startups and mid-sized companies with small or no security team.

- Teams that want to "stop juggling multiple tools and finish in one screen."

- Teams ready to lean into AI autofix.

Aikido CLI integration

aikido scan --severity high

Once the GitHub App is installed

- automatic comments per PR

- severity-based blocking

- AI Autofix PRs generated automatically

Aikido's real differentiator is noise management. A typical SAST tool throws thousands of issues at a big monorepo, and security engineers close more than half as false positives. Aikido uses ML to dedupe + context (which environment, which path) to prioritize, and surfaces "the 30 you actually need to look at this week." That UX difference creates large value for small teams.

7. Cycode / GitGuardian — secrets + supply chain

The category of catching exposed secrets (API keys, tokens, certificates) in code and git history was essentially created by GitGuardian around 2020. Cycode bundled supply chain on top and went broader as an ASPM.

GitGuardian

- Founded 2017, specialized in secret detection.

- 350+ secret patterns (AWS, GCP, Stripe, Slack, ...).

- Scans all public GitHub 24/7, alerts on leak instantly (Has My Secret Leaked).

- Can block at push time via pre-receive hooks.

- Generous free tier for up to 25 users.

Cycode

- Founded 2019, positioned as ASPM (Application Security Posture Management).

- Secrets + SCA + IaC + SAST + Source Code Leak + CI/CD posture on one screen.

- "Source Path Analysis" — traces a vulnerability back to who created which PR.

- Clearly aimed at the enterprise.

Strengths and weaknesses

| Item | GitGuardian | Cycode |

| --- | --- | --- |

| Strength | #1 secret-detection precision, generous free tier | Full-stack ASPM, large-org visibility |

| Weakness | Weaker outside secrets | Narrower than GitGuardian if only secrets matter |

| Pricing | Best value if you only need secrets | Enterprise pricing |

When to pick it

- **GitGuardian** — when secret leaks are the top concern and other SAST/SCA are separate.

- **Cycode** — when you want "one ASPM platform" at mid-size or above.

GitGuardian ggshield pre-commit hook

repos:

- repo: https://github.com/gitguardian/ggshield

rev: v1.32.0

hooks:

- id: ggshield

language_version: python3

stages: [commit, push, manual]

The hard part about secret detection is that regex alone is not enough. AWS access keys have an obvious pattern, but JWT tokens or Stripe restricted keys need context (surrounding variable names, functions) and entropy. GitGuardian and Cycode both added ML classifiers to cut false positives, and around 2025 they started adding LLM-based features that judge "is this an actual secret or a placeholder?"

8. Trivy (Aqua) — containers + dependencies + IaC

Trivy is an OSS container scanner from Aqua Security. Starting as a simple CLI, it became the de facto standard. It scans not just container images but dependencies, IaC, K8s manifests, and SBOMs — all from one binary.

Core features

- **Image scan** — OS packages + language packages (npm, pip, gem, ...) of Docker/OCI images, with CVEs.

- **Filesystem scan** — local filesystem (e.g. a dist directory).

- **Repository scan** — an entire git repo.

- **IaC scan** — Terraform, K8s, Dockerfile policy violations.

- **SBOM output** — SPDX, CycloneDX formats.

- **K8s scan** — scans an entire cluster workload at once.

Strengths

- Open source and free. Single-binary install.

- Fast. Small images in under 5 seconds.

- The DB updates regularly (CVE-aware) and results are trustworthy.

- Connects naturally with Aqua Security's commercial Aqua Platform.

Weaknesses

- No SAST. It's SCA + container + IaC, that's it.

- Rule customization requires OPA/Rego, which has a learning curve.

- Big-cluster K8s scans can be memory-heavy.

When to pick it

- When you want free OSS for containers + IaC + dependencies all in one.

- As an OSS auxiliary scanner stacked on top of another tool (Snyk, GHAS).

- For a baseline security check across a K8s environment.

Trivy usage

trivy image alpine:3.20

trivy fs ./src

trivy repo https://github.com/user/repo

trivy config terraform/

trivy k8s --report summary cluster

SBOM generation

trivy image --format cyclonedx -o sbom.json alpine:3.20

Trivy's big strength is "one tool does five things." For a small team, the combo of Trivy + Semgrep CE + GitGuardian free tier alone covers SAST + SCA + Container + IaC + Secrets. It nearly always appears as the starting point for OSS-friendly teams.

9. Checkmarx / Veracode — the enterprise camp

Checkmarx (Israel, 2006) and Veracode (US, 2006) are the two classic enterprise SAST platforms. Both target large enterprises, finance, and government.

Checkmarx

- Checkmarx One — the unified platform. SAST + SCA + Container + IaC + API Security.

- 25+ language support, deep dataflow analysis.

- Both self-hosted and SaaS.

- Strong Korean partner network with many financial deployments.

Veracode

- Classic SAST + DAST + SCA + Container.

- Binary analysis — can analyze .jar/.dll without source.

- Strong compliance reports (PCI-DSS, HIPAA).

- Mostly SaaS.

Strengths

- Standardized enterprise compliance reports.

- Deep dataflow + handling of huge codebases.

- 24/7 support, on-site consulting.

- Designed for large security organizations (typically dozens to hundreds of people).

Weaknesses

- Very expensive. Usually enterprise pricing on quote.

- Hard to call developer-friendly. Results are security-team-centric.

- Slow scans, higher false-positive rates than modern tools (a frequent criticism).

- UI/UX is heavy. Wide gap when compared to modern tools like Snyk, Semgrep, Aikido.

When to pick it

- When compliance reports are a contract requirement (government, finance, public).

- For large organizations with dedicated security teams.

- When self-hosting + 24/7 enterprise support is mandatory.

Checkmarx One CLI

cx scan create --project-name "my-app" \

--branch main \

--scan-types sast,sca,iac-security \

-s ./source

Veracode CLI

veracode static scan \

--source-file my-app.jar \

--app-name my-app

The enterprise camp is being chased by modern tools. As Snyk, Semgrep Pro, and GHAS eat into the enterprise market, Checkmarx and Veracode have accelerated UX improvements and AI autofix (Checkmarx AI Security Champion, etc.). At similar prices, modern tools have an increasingly clear edge.

10. OWASP ZAP, Bearer, Endor Labs, Socket.dev — other heavyweights

The notable tools that didn't fit into the eight chapters above but cannot be skipped in 2026.

OWASP ZAP

- Zed Attack Proxy. The OSS DAST standard.

- Crawls a running web app and tries OWASP Top 10 patterns.

- Free, big community.

- CI integration available (zap-baseline.py).

Bearer

- Privacy + security static analysis.

- Tracks "what PII (email, phone number, SSN) does this code touch."

- Strong for GDPR and CCPA compliance reports.

- Acquired by Cycode in 2023.

Endor Labs

- SCA specialist, the pioneer of "reachability analysis."

- Judges whether a CVE in a dependency is on a code path actually called.

- Outputs a prioritized vulnerability list — usually 80%+ get downgraded to unreachable.

- Series B of 70M USD in 2024.

Socket.dev

- Specialized in the npm supply chain.

- Real-time analysis of dependency changes inside PRs (postinstall scripts, telemetry, file system access, ...).

- Detects supply-chain attack signals like "this package suddenly added telemetry."

- Dominant within the npm ecosystem.

Comparison matrix

| --- | --- | --- | --- |

11. SBOM (SPDX / CycloneDX) — standards maturing

An SBOM (Software Bill of Materials) is a list of "which components this software is made of." Since US Executive Order 14028 in 2021, momentum toward de facto requirement has built up, and EU CRA in 2024 set the direction for mandatory adoption in the EU market.

Two standards

- **SPDX** — Linux Foundation. Started in 2010. Strong on license compliance.

- **CycloneDX** — OWASP. Started in 2017. Security-centric, with VEX integration.

Both survive in 2026, and tools usually support both. CycloneDX feels slightly ahead among security tools (Trivy, Snyk, Anchore, Syft).

What it contains

| Field | Meaning |

| --- | --- |

| Component | Package name, version, type (library, OS, container, ...) |

| Supplier | Who made it |

| Hash | For integrity verification |

| License | License (SPDX ID) |

| Relationship | Graph: depends-on, contains, etc. |

| Vulnerabilities | (optional) known CVEs and VEX |

Generation tools

- **Syft (Anchore)** — free OSS, generates SBOM from container and filesystem.

- **Trivy** — Syft-integrated, included in image scans.

- **Snyk, GitHub** — auto-generate and attach.

- **Dependency-Track (OWASP)** — a server that ingests SBOMs and links to CVEs.

SBOM generation from a container with Syft

syft alpine:3.20 -o cyclonedx-json > sbom.json

syft alpine:3.20 -o spdx-json > sbom.spdx.json

Same with Trivy

trivy image --format cyclonedx -o sbom.json alpine:3.20

GitHub SBOM API

gh api /repos/OWNER/REPO/dependency-graph/sbom > sbom.json

VEX (Vulnerability Exploitability eXchange)

The standard that pairs with SBOM. It standardizes a vendor response like "this CVE on this component does not affect our product." Tools started ingesting VEX in 2025, and combined with reachability analysis, it became the key infrastructure for "prioritize only the truly risky CVEs."

12. Reachability analysis — Endor, Snyk

If you've ever received a report saying "your dependencies have 100 CVEs," you've probably wondered how many of them are actually called from your app. Reachability analysis automates that.

What is reachability?

- Level 1 — is the package directly imported in the dependency graph? (dependency)

- Level 2 — is the vulnerable function of that package imported? (symbol-level)

- Level 3 — does your app code actually call the vulnerable function? (call-graph)

- Level 4 — is that call reachable at runtime? (taint + control flow)

According to industry measurements, 70 to 95 percent of Level 1 CVEs become unreachable when you push to Levels 3 to 4. In other words, most don't need patching, or have low priority.

Major providers

| --- | --- | --- | --- |

The effect

One field case — a large monorepo (JS/TS, 300K LOC, 1500 dependencies).

- Dependency CVE total: 412 (Level 1).

- After symbol-level reachability: 87 (79% reduction).

- After call-graph reachability: 31 (92% reduction).

- The security team actually had to look at 31.

This effect made reachability a near-mandatory feature when picking an SCA tool after 2024.

13. LLM-powered SAST + Autofix

The biggest current between 2023 and 2026. LLMs changed two things about SAST.

1. Rule writing / dataflow

Traditionally, SAST rules were regex or explicit rules over a dataflow graph. LLMs generalize "natural-language description to code pattern" to some degree. The result is a chance to catch "new vulnerable patterns never seen before."

- **Snyk DeepCode AI** — ML-learned base, pattern + AI hybrid.

- **Aikido AI** — rules + LLM dedup.

- **Semgrep Assistant** — natural language to Semgrep YAML rule.

- **GitHub Copilot Autofix** (formerly Code Scanning Autofix) — LLM patches on CodeQL findings.

2. Autofix

LLMs auto-generate patch PRs for findings.

- Dependency upgrade (safest, highest adoption).

- Code patch (cautious, mandatory human review).

- Configuration change (Dockerfile, K8s manifest).

The field caveats

Just because an LLM autofix produces a PR doesn't mean it's always correct.

- **Wrong fix** — the vulnerability is closed but features regress. Insufficient test coverage causes accidents.

- **Partial fix** — the sink is patched but the source is intact. The same attack can come through a different path.

- **Missing context** — domain knowledge like "this function is only called internally so escaping is unnecessary" gets missed.

The 2026 best practice is "LLM autofix is a PR draft requiring mandatory human review, and only trivial cases like dependency upgrades may be auto-merged." Code patches still need human eyes.

A pattern that autofix often gets wrong

Before — SQL injection

query = f"SELECT * FROM users WHERE name = '{name}'"

cursor.execute(query)

LLM autofix v1 (wrong) — only adds escape

query = f"SELECT * FROM users WHERE name = '{name.replace(chr(39), chr(39)+chr(39))}'"

cursor.execute(query)

LLM autofix v2 (right) — parameterized

cursor.execute("SELECT * FROM users WHERE name = ?", (name,))

14. EU CRA (2024) — software regulation begins

The EU Cyber Resilience Act was passed by the EU Parliament in October 2024 and came into force in November 2024. It imposes security requirements on "products with digital elements" (including software) placed on the EU market.

What it requires

- **Vulnerability management process** — at least 5 years of patches (or the product lifetime).

- **24-hour reporting upon discovery of known vulnerabilities** — notify ENISA.

- **Provide SBOM** — provide a component list to market surveillance authorities on request.

- **Secure by design** — consider security from the design phase.

- **CE mark** — affix the CE mark after passing conformity assessment.

Timeline

- November 2024 — entry into force.

- September 2026 — reporting obligations begin to apply.

- December 2027 — full requirements apply.

When Korean or Japanese companies are affected

- When selling SaaS or IoT products into the EU market.

- When supplying libraries or software components to EU customers (including B2B).

- OSS maintainers are exempt unless engaged in "commercial activity."

Tool impact

Because EU CRA requires SBOM, vulnerability management process, and 24-hour reporting, tool selection now requires:

1. SBOM generation + storage + external disclosure.

2. A 24-hour workflow from discovery to classification to patch to report.

3. Audit logs — who decided what, kept for 5 years.

ASPM platforms like Cycode, Aikido, and Snyk quickly added EU CRA support, and GHAS reinforced its Security Advisory workflow. Korean and Japanese teams considering EU market entry in 2026 should verify CRA support when choosing a SAST tool.

15. Korea / Japan SAST adoption

Korea

Korea is a market where security audits are effectively mandatory under the Information and Communications Network Act, the Personal Information Protection Act, and ISMS-P certification. Traditionally these tools were strong:

- **Fortify (Micro Focus / OpenText)** — broad deployment in finance.

- **Checkmarx** — many Korean partners, mostly large enterprises.

- **Veracode** — Korean branches of global firms.

- **Sparrow** — a Korean-native SAST. Certified by NIS and finance.

Modern tools have been gaining ground since the mid-2020s.

- **Semgrep** — adopted by startups and platform companies (Coupang, Toss, Naver, Kakao).

- **Snyk** — Toss, Woowa Brothers, LINE, and others.

- **GHAS** — companies on GitHub Enterprise.

- **Kakao Enterprise KaibAi** — Kakao's AI code security tool. Internal Kakao group adoption from around 2024. Strong on Korean code context (comments, variable names).

Japan

The Japanese SAST market is conservative but has seen rapid penetration by global tools in the 2020s.

- **Veracode, Checkmarx** — large finance and telecom companies.

- **FFRI Security (Kabushiki Kaisha FFRI Sekyuriti)** — Japanese-native. Endpoint protection is the main line, but static analysis and vulnerability assessment consulting are also strong. Many government and defense customers.

- **GMO Cybersecurity by Ierae** — a major Japanese security firm. Assessment + consulting + tools.

- **Snyk Japan** — expanded Japanese presence in the late 2020s.

- **GitGuardian Japan, Aikido** — adoption cases for secrets and all-in-one tools growing.

Japanese market characteristics:

1. Preference for self-hosting — SonarQube on-prem is strong.

2. Consulting + tool bundles are typical — standalone SaaS adoption is cautious.

3. Government and defense prefer Japanese vendors (FFRI etc.).

Conclusion — regional recommendations

| Scenario | Korea | Japan |

| --- | --- | --- |

| Startup (10-50) | Semgrep + Trivy + GitGuardian | Aikido or Snyk |

| Mid-size (50-500) | Snyk or GHAS + Aikido | Snyk + Cycode |

| Enterprise (500+) | Checkmarx + Cycode + in-house | Veracode + FFRI consulting |

| Finance | Sparrow + Fortify + Checkmarx | Checkmarx + GMO + self-hosted SonarQube |

| EU market entry | Cycode or Aikido (SBOM + CRA) | Snyk or Aikido (SBOM + CRA) |

Closing — "You don't buy a tool, you buy a workflow"

The 2026 SAST market is not a single category but a five-axis tournament. And five currents are shaking it:

1. **All-in-one platform consolidation** — Snyk, Aikido, Cycode bundle SAST/SCA/Secrets/Container.

2. **Reachability** — automated judgment of "is this CVE actually risky?"

3. **LLM autofix** — automation from finding to fix PR.

4. **EU CRA** — SBOM + 24-hour reporting + 5-year patch obligation.

5. **Developer-first UX** — IDE integration, immediate PR feedback, automatic false-positive dedup.

The starting point for small teams is simple — Semgrep CE + Trivy + GitGuardian free tier. From there, as the team grows, you wrap them in one ASPM (Aikido, Cycode, Snyk), or you integrate via GHAS if you're on GitHub Enterprise. Large organizations standardize on a combination of enterprise tools (Checkmarx, Veracode) and an ASPM (Cycode).

One truth — **"You don't buy a tool, you buy a workflow (discover, triage, patch, report)."** Whatever tool you pick, if this workflow doesn't run in under 5 minutes, you'll just pile 10,000 issues into a backlog. The first question of any tool evaluation is always "if a PR gets a red mark from the SAST, can it reach a mergeable state within an hour?"

References

- Semgrep — [https://semgrep.dev/](https://semgrep.dev/)

- Semgrep rules registry — [https://semgrep.dev/explore](https://semgrep.dev/explore)

- CodeQL — [https://codeql.github.com/](https://codeql.github.com/)

- GitHub Advanced Security — [https://github.com/security/advanced-security](https://github.com/security/advanced-security)

- Snyk — [https://snyk.io/](https://snyk.io/)

- Snyk DeepCode AI Fix — [https://snyk.io/platform/deepcode-ai/](https://snyk.io/platform/deepcode-ai/)

- SonarQube — [https://www.sonarsource.com/products/sonarqube/](https://www.sonarsource.com/products/sonarqube/)

- SonarSource Clean Code — [https://www.sonarsource.com/solutions/clean-code/](https://www.sonarsource.com/solutions/clean-code/)

- Aikido Security — [https://www.aikido.dev/](https://www.aikido.dev/)

- Cycode — [https://cycode.com/](https://cycode.com/)

- GitGuardian — [https://www.gitguardian.com/](https://www.gitguardian.com/)

- Trivy — [https://trivy.dev/](https://trivy.dev/)

- Aqua Security — [https://www.aquasec.com/](https://www.aquasec.com/)

- Checkmarx — [https://checkmarx.com/](https://checkmarx.com/)

- Veracode — [https://www.veracode.com/](https://www.veracode.com/)

- OWASP ZAP — [https://www.zaproxy.org/](https://www.zaproxy.org/)

- Bearer — [https://www.bearer.com/](https://www.bearer.com/)

- Endor Labs — [https://www.endorlabs.com/](https://www.endorlabs.com/)

- Socket.dev — [https://socket.dev/](https://socket.dev/)

- SPDX — [https://spdx.dev/](https://spdx.dev/)

- CycloneDX — [https://cyclonedx.org/](https://cyclonedx.org/)

- OWASP Dependency-Track — [https://dependencytrack.org/](https://dependencytrack.org/)

- Syft (Anchore) — [https://github.com/anchore/syft](https://github.com/anchore/syft)

- OpenSSF — [https://openssf.org/](https://openssf.org/)

- EU Cyber Resilience Act — [https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act)

- ENISA — [https://www.enisa.europa.eu/](https://www.enisa.europa.eu/)

- US Executive Order 14028 — [https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)

- Kakao Enterprise — [https://www.kakaoenterprise.com/](https://www.kakaoenterprise.com/)

- FFRI Security — [https://www.ffri.jp/](https://www.ffri.jp/)

- Sparrow (Korean SAST) — [https://www.sparrowfasoo.com/](https://www.sparrowfasoo.com/)