What are the recommended tools to SAST on outsystems codes (on-premise)?
Application Type
Reactive, Service
Platform Version
11.14.1 (Build 34445)


Based on https://success.outsystems.com/Support/Security/Static_Application_Security_Testing, it is possible to retrieve the codes for SAST. However, there are no recommended tools or rulesets to validate the claims in the application security technical white paper.

Do anyone have an idea or recommendations on the approach to handling security testing on outsystems codes?


Hi c3d,

I recommend reading this article:


Third-party tools

OutSystems generates standard applications from its runtime, enabling standard security assessment tools, such as static code analysis, to vet the runtime code.

To systematically ensure high-security standards for generated applications, OutSystems leverages security assessment tools as part of the automated quality assurance process for every product release. Integration with market-leading static code analysis tools has been set up for automatic code vulnerability scans during regression testing. These tests support an aggressive criteria for release acceptance, which requires fixes to all critical, high, and medium reported code vulnerabilities. This ensures that the generated code is inherently secure.

Static application security testing

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. You can export the source code of your OutSystems apps and use it to run SAST using third-party tools such as Omnext, Boncode, and SIG.

The same exported source code can be used by Veracode to perform dynamic app security testing.

Penetration testing

A penetration test, also called a pen test or ethical hacking, can be used used to identify, test, and highlight vulnerabilities in your code in the OutSystems cloud using such third-party tools as Neotys and Tricentis.

To perform penetration tests, and vulnerability scans, authorization from OutSystems must be requested at least five business days before the start date for each test.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.