An example embodiment may involve a remote network management platform including a computational instance hosting a particular application. The particular application may be based on a unit of program code, use one or more database tables, and define one or more user roles with respect to accessing the program code and the database tables. A scanner application may be configured to: receive, from a client device, a request to scan the particular application; retrieve the particular application; conduct a static security scan by applying a set of rules that define security vulnerabilities, where the rules take into account (i) relationships between the user roles and the unit of program code, and (ii) relationships between the user roles and the database table; and transmit, to the client device, a representation of a web page that contains observed security vulnerabilities of the particular application.