GrepBugs

grep all the bugs!

Using regular expressions to find bugs in source code is a very rudimentary method. Results will tend to be noisy (many false positives). So why bother with this approach when there are more advanced scanners that can find bugs more reliably?

It is still a great aid for code reviewers, it helps to quickly locate areas of interest in code.
It's cheaper than commercial scanners, which can also be noisy when not tuned properly.
It's better than not looking for security bugs in code at all.
Developers can use this to become better educated on potential security bugs.
It's fun! And a good challenge to develop effective regular expressions.

download all the greps
https://grebugs.com/rules

scan utilities

GrepBugs
- https://github.com/foospidy/GrepBugs

GitGrepBugs
- https://github.com/foospidy/GitGrepBugs

Also see GrepBugs plugins.

Screen capture of GrepBugs scanning hundreds of open source projects

Other utilities (these tools don't use Grepbugs rules)
Visual Code Grepper
- http://sourceforge.net/projects/visualcodegrepp/
Graudit
- https://github.com/wireghoul/graudit/
Flawfinder
- http://www.dwheeler.com/flawfinder/
Others
- https://github.com/phpstan/phpstan
- https://github.com/lafkuku/GREP.Net
- http://www.dwheeler.com/flawfinder/#othertools
- https://www.owasp.org/index.php/Static_Code_Analysis#Tools
- http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
- http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
- https://fuzzing-project.org/
- https://scan.coverity.com/projects *free for open source projects
- https://www.hpfod.com/open-source-review-project *free for open source projects
- https://www.codewatch.org/

online regex tools

http://regexpal.com/
http://www.regexr.com/
https://regex101.com/