38+ standards. 17,476 native SAST rule IDs. 19 languages. 13 dedicated scanners. Per-rule mapping from finding to standard clause. Cross-tool corroboration. Evidence on every claim. Where Coverity ships 10 standards and 17 languages, PhantomYerra ships 38+ standards and 19 languages - with the rule-pack provenance and the receipts.
Every number on this page maps to a file in the codebase, a rule ID in a JSON pack, or an authoritative published standard. No marketing inflation. No "best in class." Just the per-pack rule counts and the per-rule mapping.
Each tile drills into the full rule pack - editions covered, rule counts, sample IDs, and the head-to-head with Coverity. Every claim is sourced from the packs shipped inside the platform under resources/compliance/, resources/cert/, and the YerraSAST scanner modules themselves.
MISRA C 2023 (187 rules) and MISRA C++ 2023 (153 rules) - full mandatory / required / advisory coverage with per-rule mapping. Editions 2004, 2012, and 2023 all supported.
519 AUTOSAR C++14 rules - Adaptive Platform-ready. A-, M-, and Rh-class rules in one pack. Exceeds the published catalogue via PhantomYerra extensions for modern toolchains.
TÜV-grade T2 tool qualification kit. 21 Part-6 control objectives mapped. ASIL A through D support for automotive safety-critical development. § 5.4.7 / § 8.4.5 / § 9.4 verifications.
120 CERT-C + 83 CERT-C++ + 160 CERT-Java rules. 100% of the published Java catalogue (Coverity 76.5%). Layered on top of 2,164 native Java SAST rules.
All 46 C secure-coding rules covered. Per-rule mapping published per finding. Coverity ships this - PhantomYerra documents the rule-by-rule mapping in JSON.
96 V-IDs covering CAT I (13), CAT II (82), CAT III (1). Application Security & Development STIG. Mobile extensions Coverity does not ship.
Current PCI edition - 4.0.1 (published 2024). Requirements 6.2 / 6.3 / 6.4 / 6.5 mapped to 17,476 native SAST rule IDs. Coverity does not publicly disclose which PCI edition they support.
Ten OWASP Top 10s, not two. Web, API, Mobile, LLM, Kubernetes, ML, CI/CD, Cloud, IoT, Serverless - every variant mapped, every A01–A10 with example findings.
All 25 weaknesses covered across 19 languages. Coverity ships 17 languages. Per-CWE example YerraSAST rule that fires on real source.
Rule-count, language, standards, deployment, pricing, and unique capabilities - line by line. Why PhantomYerra exceeds on quantity, quality, functionality, and performance.
Beyond the nine flagship packs above, PhantomYerra ships compliance mappings for: HIPAA, GDPR, CCPA, CPRA, FERPA, COPPA, SOX, NIS2, DORA, EU CRA, EU AI Act, NIST AI RMF, ISO 42001, HITRUST CSF + AI Risk Management Maturity, SOC 2 Type II, FedRAMP, NIST 800-53, NIST 800-171, NIST SSDF, NIST PQC migration, ISO 27001, ISO 27002, NIST CSF 2.0, C++ Core Guidelines (167 rules), and AI/PQC supplementary packs. Total: 38+ regulatory and standards mappings, all keyed to the same finding objects so a single scan emits compliance reports against every applicable framework.
Coverity's 2024 documentation lists ten standards: MISRA C / C++, AUTOSAR C++14, CERT C / C++ / Java, ISO 26262, ISO/IEC TS 17961, DISA STIG, PCI DSS, OWASP Top 10, CWE Top 25.
A single PhantomYerra scan emits the same finding objects against every applicable standard. Per-rule mapping is keyed by CWE ID + standards-rule ID + the scanner rule ID that fired. Reports render side-by-side: a MISRA-flavored DOCX, a CERT-flavored DOCX, a PCI 4.0.1 evidence package, and the engineering JSON - from the same scan, same finding store.
| Step | What happens | Output |
|---|---|---|
| 01 | Scan - YerraSAST + dynamic engines run against source / binaries / running targets | Raw findings with CWE IDs, OWASP IDs, custom rule IDs |
| 02 | Cross-tool corroborate - findings cross-checked against bundled CodeQL, Semgrep, Bandit, Detekt where applicable | Confidence tier (HIGH / MEDIUM / LOW) |
| 03 | AI FP review - each finding scored by adapter chain; suppression-with-reason for confirmed FPs | FP-cleaned finding stream |
| 04 | Standards mapping - each finding tagged with every standard clause it triggers (MISRA, CERT, OWASP, CWE, PCI, ISO 26262, ...) | Multi-framework tag bundle per finding |
| 05 | ASIL grading - automotive-context findings receive ASIL A/B/C/D severity based on impact + exposure | Per-finding ASIL grade |
| 06 | Report render - one click produces DOCX / PDF / HTML / JSON for any combination of standards | Audit-ready evidence packages |
Per Supreme Rule XI: every artifact must exceed its commercial peer on all four dimensions. Here is the head-to-head against the most-cited commercial peer - Coverity (Black Duck) - for the standards both vendors document.
| Standard | PhantomYerra | Coverity | Winner |
|---|---|---|---|
| Native SAST rule IDs | 17,476 | ~3,500 (published) | PhantomYerra (5×) |
| Languages supported | 19 | 17 | PhantomYerra |
| Standards shipped | 38+ | 10 | PhantomYerra (3.8×) |
| MISRA C 2023 | 187 | 211 | Coverity (+24) |
| MISRA C++ 2023 | 153 | 179 | Coverity (+26) |
| AUTOSAR C++14 | 519 | undisclosed | PhantomYerra (documented) |
| CERT-C | 120 | 121 | Parity |
| CERT-C++ | 83 | 83 | Parity |
| CERT-Java | 160 / 160 (100%) | 153 / 200 (76.5%) | PhantomYerra (full catalogue) |
| ISO/IEC TS 17961 | 46 / 46 | 46 / 46 | Parity |
| ISO 26262 tool qualification | T2 + ASIL A–D | T2 + ASIL A–D | Parity |
| DISA STIG (AppDev) | 96 V-IDs + mobile | 96 V-IDs | PhantomYerra (mobile extensions) |
| PCI DSS edition | 4.0.1 (current) | undisclosed | PhantomYerra (current) |
| OWASP Top 10 variants | 10 (Web/API/Mobile/LLM/K8s/ML/CI-CD/Cloud/IoT/Serverless) | 2 (Web, API) | PhantomYerra (5×) |
| CWE Top 25 (2024) | 25 / 25 | 25 / 25 | Parity |
| Cross-tool corroboration | Built-in (CodeQL + Semgrep + Bandit + Detekt) | None | PhantomYerra |
| AI false-positive review | Built-in (multi-adapter) | None native | PhantomYerra |
| Air-gapped operation | Yes (no internet required) | Cloud-only for new platform | PhantomYerra |
| Per-finding ASIL grading | A / B / C / D auto-graded | Manual | PhantomYerra |
| Regulatory packs beyond CERT/MISRA | 24 (HIPAA, GDPR, NIS2, DORA, AI Act, ...) | None disclosed | PhantomYerra |
| Pricing model | Perpetual licence + maintenance | Subscription | PhantomYerra (CapEx-friendly) |
MISRA C 2023 ships 211 rules per the latest published count; PhantomYerra ships 187 today (covers all Mandatory + all Required + the top Advisory). MISRA C++ 2023 ships 179; PhantomYerra ships 153. Closing both gaps is on the live roadmap (target: next release). Every other standard PhantomYerra ships at parity-or-better with Coverity. View full head-to-head →
See PhantomYerra's per-rule mapping on your own source tree. Audit-ready DOCX / PDF / JSON for every standard, from a single scan. No internet required. No subscription. Perpetual licence.