What type of scanning identifies vulnerabilities during the development phase?

Static analysis is the correct choice for identifying vulnerabilities during the development phase. This type of scanning involves reviewing the source code without executing the program. It allows developers to identify potential vulnerabilities, coding standard violations, and other issues early in the development lifecycle. By catching these concerns before the software reaches production, static analysis helps ensure that security flaws are addressed in a timely manner, leading to more secure applications.

In contrast, dynamic analysis involves testing a running application to find security vulnerabilities, typically used during or after development. Manual auditing incorporates human expertise to analyze code or systems but may not be as efficient in identifying issues as automated tools during early development phases. Continuous monitoring is focused on ongoing assessment of operational environments rather than securing code during its development. Therefore, static analysis is best suited for identifying vulnerabilities in this context.