Static scanning is good way finding coding issues such as:
- Syntax violations
- Security vulnerabilities
- Programming errors
- Coding standard violations
- Undefined values
For more information about the Static Code Analysis please visit the OWASP page
To achieve a better result we can combine static security scanning and 3rd party code (open-source libraries (dependency) scanning.
To doing this part better and more complete (prevent misconfigurations), we can bring up IaC (Infrastructure as code) security scan too. For example check Terraform, helm, Ansible code, etc.
So according to the above lines the possible actions in this step are as follows:
- Static Code Analysis (known as SAST)
- Open-source libraries (3rd party / dependency) scanning (known as SCA)
- IaC Security scanning
-
- CodeSec by Contrast Security - A high-speed high-quality free SAST tool designed for use by developers and in CI/CD pipelines.
- SonarQube - An open-source web-based tool, extending its coverage to more than 20 languages, and also allows a number of plugins
- Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
- CodeQL - Discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code analysis engine.
-
- Veracode - A static analysis tool that is built on the SaaS model. This tool is mainly used to analyze the code from a security point of view
- security code scan - Vulnerability Patterns Detector for C# and VB.NET
- Enlightn - A static analysis vulnerability scanner for Laravel PHP applications
- Inquisition - A set of tools for convenient technical analysis of web applications built with Ruby and Ruby on Rails. Now you don't need to set up and configure every single gem. Use Inquisition gem instead
- CodeSweep - Static Analysis tool for GitHub that's free to use and can scan code on pull request. Support over 20 languages and IaC (docker, k8s). VS Code version can be found here
- HCL AppScan on Cloud - SAST tool built as a service. The tool can perform traditional SAST, SCA and IaC scanning.
- Semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
- Checkmarx SAST - A static analysis security vulnerability scanner
- Fortify - A static analysis security vulnerability scanner
- PT Application Inspector - Is the only source code analyzer providing high-quality analysis and convenient tools to automatically confirm vulnerabilities — significantly speeding up the work with reports and simplifying teamwork between security specialists and developers