Yasca is an open-source static analysis tool that I wrote around 2008-2010 to detect security vulnerabilities in application source code. It’s written in PHP, but run as a command-line tool. (It seemed like a good idea at the time.)
Yasca hasn’t been maintained in a while, but it’s still in use. You can grab binaries from SourceForge or view the source code on Github.
If you like Yasca, you may be want to learn more about DevSkim, which you could think of as Yasca’s spiritual successor, and is being actively maintained.