If you're talking about scanning code, you're looking for a SAST, DAST, or IAST solution. Examples of the companies making those solutions are: Synopsys, Veracode, Snyk, Checkmarx.
I always advocate for including security as early as possible in the SDLC. Security should be part of the initial design, never an afterthought. And security testing should be built into the DevOps process using whatever tools best fit the needs of your business, etc.
Something I always try to talk about with security and development teams that are running an SDLC exercise and/or are looking at code scanning solutions is, what processes will you have in place for what you find? And that always leads to, how will you prioritize addressing your findings? And that always leads to, what are your processes for managing through conflicts of security, the business (revenue, Product release, App Owners, etc.), availability, etc.?
When the conversation gets there (ie.. when it happens), I raise the issue of compensating controls, including Runtime Protection (RASP), Serverless Protection, and Virtual Patching (or, the "virtual patching process.") Just as "the best security" is often a balance between the security required for "something," and the usability of that same "something," when you have competing priorities to release a product on time, and not to allow any code to be pushed to production with any Sev 1 issues, and to also patch or disable any applications with a Critical CVSS within 72-hours, and to do with with a team of 3 only working 40-hours a week, etc... You have to prioritize.
Having Runtime Protection or Serverless Protection already bundled with your apps, from Dev to Prod, makes your life much easier. Sometimes you can't, though, and that's when you can quickly deploy a runtime/serverless solution, or leverage an existing WAF or API Security solution to mitigate some or all of the issues, while you prioritize what you need to fix first, while continuing to run your business efficiently.
I've worked extensively with virtual patching solutions since 2004, and the number one thing I can share with you is that while they can always be implemented quickly, it's best to have a process defined ahead of time that is routinely tested. OWASP has multiple resources on virtual patching, including this cheatsheet: virtual patching. If you have or are considering integrating SAST / DAST / IAST solutions into your SDLC processes, I encourage you to also look at what you can achieve with virtual patching, and being ahead of the curve with runtime or serverless protection.
We find that most large organizations have policies in one environment or BU that conflict with the policies in another or require exceptions, etc. While code scanning is a great tool for identifying potential problems for developers to review, it doesn't protect anything. And while a WAF doesn't help you identify security vulnerabilities in your code directly, it protects them from being exploited. Runtime and Serverless protection can both protect you from exploitation and tell you exactly where in the code to look for the vulnerability that's trying to be exploited. Independently, they all provide value to different teams or individuals.
Working together between teams (security, product, development, sales, marketing, etc.), building processes that leverage the capabilities of solutions that complement one another (Vulnerability/Code Scanning, WAF/WAAP, API Security, Runtime Protection, Serverless Protection, etc.), and including security into the entire software development lifecycle from the beginning, so that you deliver the best user experience possible, along with the best security possible; that's nirvana.