Statica - how I run some of my favourite AppSec tools

Static analysis is a powerful technique for catching security issues. But tools that depend on compilation aren’t always easy, especially if you don’t have the right dependencies or you’re stuck on Apple Silicon with legacy code.

So I built Statica: a wrapper for the AppSec tools I trust.

Some useful AppSec tools

Statica runs a hand-picked set of tools to uncover security issues, inspired by classics like metric-fu:

  • Trivy: Finds secrets in code.
  • Semgrep: Flags bugs and security holes.
  • Bearer: Sniffs out secrets and risky code.
  • Lizard: Spots complexity in code.
  • RetireJS: Catches vulnerable JavaScript libraries.
  • CPD: Finds copy-paste code.
  • Checkov: Scans IaaC (e.g. Terraform) code for security slip-ups.

How Statica works

Statica is a CLI tool. Point it at your codebase, and it runs each tool in sequence, then rolls up the results into a single HTML or console report. Easy install and updates via Homebrew on macOS and Linux.

Statica saves tool outputs in SARIF format and merges them for a single view of a codebase’s weak spots.

Example

brew install simpsonjulian/statica-tap/statica
statica /path/to/codebase html
open /path/to/codebase/statica.html

What’s next?

More checks, and better insights into the results.

Conclusion

Statica is for anyone who wants to get SAST running on their codebase, fast. Try it and let me know how it goes.

DevOps New Zealand