Static code analysis (also known as source code analysis) is usually performed on the source code from the repo as part of the CI/CD pipeline during the software development. It finds many different security vulnerabilities, and is usually called white box security testing, since it looks at the internals of the code to detect security vulnerabilities. These tools can also monitor code smells, code coverage, and other parameters. An example of a good tool is SonarQube. Have a look at this sample SonarQube report:
The following ...