There are 2 possible ways to do static code analyses for security issues with IBM solutions.
IBM Security AppScan Source
The older solution is “IBM Security AppScan Source” – it works locally on your computer or server, from time to time require some updates and licence extension.
IBM Security AppScan Source helps organizations lower costs and reduce risk exposure by identifying web-based and mobile application source code vulnerabilities early in the software development lifecycle so they can be fixed before deployment. AppScan Source integrates cognitive capabilities such as Intelligent Finding Analytics (IFA) into your software development lifecycle, decreasing the time and effort required to identify and remediate vulnerabilities.
With this solution you can identifie web-based and mobile application source code vulnerabilities early in the software development lifecycle with possibility of IDE integration, so they can be fixed even before deployment process.
Another option is to build automated security into development by integrating security source code analysis with automated scanning during the build process. Demo version allows you only to scan IBM test application.
IBM Application Security on Cloud
Second and newest solution is IBM Application Security on Cloud. Usage of this solution will require application source code be uploaded into IBM cloud. Before doing this you will need to compile special archive (with .IRX file extension) with help of IBM tool called “Static Analyzer Client”.
For static analysis, you download a small Client Utility. If you extract the utility to your local disk, you can use its command line interface (CLI) to perform security analysis. Or, you can run an included installer that adds the static analysis plug-in to your Maven build environment – or to your Eclipse, IntelliJ IDEA, or Visual Studio integrated development environments (IDE).
One check of application code will cost you 204$ but free demo access is also available. With demo you can execute static code analyses check with short report of the results. They will not show critical places in your code, but you will understand how many possible vulnerabilities you have and what kind of vulnerabilities.