Statica - how I run some of my favourite AppSec tools
• Julian Simpson
Static analysis is a powerful technique for catching security issues. But tools that depend on compilation aren’t always easy, especially if you don’t have the right dependencies or you’re stuck on Apple Silicon with legacy code.
So I built Statica: a wrapper for the AppSec tools I trust.
Some useful AppSec tools
Statica runs a hand-picked set of tools to uncover security issues, inspired by classics like metric-fu:
- Trivy: Finds secrets in code.
- Semgrep: Flags bugs and security holes.
- Bearer: Sniffs out secrets and risky code.
- Lizard: Spots complexity in code.
- RetireJS: Catches vulnerable JavaScript libraries.
- CPD: Finds copy-paste code.
- Checkov: Scans IaaC (e.g. Terraform) code for security slip-ups.
How Statica works
Statica is a CLI tool. Point it at your codebase, and it runs each tool in sequence, then rolls up the results into a single HTML or console report. Easy install and updates via Homebrew on macOS and Linux.
Statica saves tool outputs in SARIF format and merges them for a single view of a codebase’s weak spots.
Example
brew install simpsonjulian/statica-tap/statica
statica /path/to/codebase html
open /path/to/codebase/statica.html
What’s next?
More checks, and better insights into the results.
Conclusion
Statica is for anyone who wants to get SAST running on their codebase, fast. Try it and let me know how it goes.