Static code scanning or analysis functionality is often integrated with techniques such as unit testing, peer code review, runtime error detection and requirements traceability.
Good Starting Places
- chapter 13 and 14 of the Google Building Secure and Reliable Systems https://static.googleusercontent.com/media/landing.google.com/en//sre/static/pdf/SRS.pdf
- the 7 pernicious kingdoms on taxonomy of security flaws https://cwe.mitre.org/documents/sources/SevenPerniciousKingdoms.pdf
- 2017 NIST publication Improving Software Assurance through Static Analysis Tool Expositions https://www.nist.gov/publications/improving-software-assurance-through-static-analysis-tool-expositions
Catalogs and Lists of Tools
- NIST catalog of static analysis tools https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
- GitHub list of static analysis tools organized by language https://github.com/analysis-tools-dev/static-analysis
- Wikipedia List of Static analysis tools https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis