How to choose a right static application security testing tool for your own use case is something a lot of new users will encounter and easily misled by the various marketing influences by the vendor who produce static application security testing (SAST) tools.
The more experience you are, the less likely you are influenced by the marketing literature you encounter from the various channels. In general, static application security testing (SAST) tool is one of the approaches to application security testing (AST), it is commonly adapted by developers to perform project secure scanning and review, and they are using it to catch any vulnerability that can fix it, before publishing the application for the production.
We have a lot of tools run in different licensing schemes, some is license by per application charge per year, some is license by per install but unlimited scan based on supported platform. Recently more and more vendors charge by license subscription basis, while in the past, perpetual license was the main norm. For some it is licensed and allowed to run on an online cloud based basis, while others allow it to install in the on premise scenario.
As you can see from the above, certain industries will be more conservative, where online and cloud may not be the way to go. For customers with a lot of source code scanning requirements in the volume of the project, single install and allowing unlimited scanning will be more cost effective. But for customers who have only few applications, licensing by application will be more effective in that scenario.
E-SPIN has been active in the static application security testing (SAST) product supply, training and maintenance business since 2005. It being part of the core application security testing (AST) portfolio we are maintain for the customer we served that spread across various application security testing use case and context, such as dynamic application security testing (DAST), mobile application security testing (Mobile AST), software composition analysis (SCA), interactive application security testing (IAST), and manual application security testing (MAST). Feel free to contact E-SPIN for your project and operation requirements, we should be able to assist you on your precise project requirement and package.