WebDev - static code analysis security tools.

I have a customer who works for a company that markets a product that is developed and maintained for them by a third-party contractor using WebDev. He specifically is responsible for identifying (and thus hopefully remediating) potential security vulnerabilities in code bases and compiled binaries prior to the products ever hitting production. The tools he currently uses (Checkmarx and Blackduck) won't work with WebDev.

Can anyone suggest a tool for this purpose?

If I understand correctly, I do not think that there is any tool existing that can do that, because:

1- Webdev generates the pages on the fly, so there is NOT, AFAIK, any static code that can be analysed at that level
2- the code itself is generated as one or several windev/webdev library (wdl). It's a proprietary pcsoft format, encrypted, again AFAIK, and there is no decompiler out there for it
3- finally, the webdev engine itself is an executable and the framework as a collection of DLLs containing a boatload of functions, including TONS that are not used in your current project (all dlls are there all the time, in case one function becomes needed)... So even if in theory you CAN decompile that part (s a regular windoss exe+dlls), it's going to be a huge work to analyse functions that may or may not be used in your current project.

On anotother hand, I am guessing that this will make the work of any hacker that much harder.

Thank you for your reply Argus. Your thoughts have a lot of merit. I'll report that back to the customer.