Static analysis tools help people write better software, by telling them how they goofed. SAST tools are the evolution of static analysis: tools that point out the security goofs in your code. No tool is perfect, or the replacement for a very skilled reviewer with a lot of time: for example, SAST tools will generate false positives. They’re also very low-effort method of getting feedback for developers.
I’ve collected a few easy options for deploying SAST tools in this post.
First on the list is SonarQube. As it supports many tools under the hood, it can give you an overwhelming list of things to fix. With a bit of setup, it’s useful for tracking the health of a codebase over time. The neat thing is that it will also detect and track security issues. If you’re being asked by clients about your SAST or DAST tooling, it’s a great way to check the box. SonarQube also works with the SonarLint IDE plugin, which is very helpful. You’ll need to buy the cloud service, or run your own SonarQube server.
Next up, is GitHub Advanced Security. Being a GitHub feature, it’s tightly integrated with GitHub and can be configured to run on push, or as an Action. You can also add third party scanners, and use webhooks to add Jira tickets to the backlog. Advanced Security needs an Enterprise plan, so if you’re looking to throw money at the problem, this could be the solution.
Finally, there’s two other tools that I think deserve a mention: Snyk, because they have good IDE support (why not squash them at the source?), and it integrates with BitBucket and GitLab. Also, of note is Muse; Sonatype acquired this recently and will be releasing hosted and free versions. It’ll be branded as Sonatype Lift and will integrate with the Maven ecosystem, to help address supply chain compromises.