Static analysis tools analyze source code without executing it to detect vulnerabilities and errors. They can find issues like buffer overflows, security flaws, memory leaks and other bugs. Popular free and commercial static analysis tools for C/C++ include Flawfinder, RATS, Coverity, CodeSonar and Splint. RATS is an open source tool that scans source code for matches to vulnerability rules defined in XML databases. It produces warnings of potential issues to guide manual code inspection and improvement. However, static tools have limitations like not expanding macros and missing context, so manual review is still needed.