This post is part of a series on DevSecOps and CI/CD security. Check out the overview for context and links to the rest of the series.
This post explores using static application security testing (SAST) and code quality tools for DevSecOps:
SAST Overview
Static application security testing (SAST) tools analyze source code for security issues. If SAST is new to you, check out Snyk’s guide for a solid overview. SAST tools might run:
- In the developer’s editor
- From the command line on the developer’s machine
- From the command line of a CI server or build environment
Choosing SAST Tools
The SAST tool landscape is enormous – defining your needs and choosing tools well-suited to them is key! Consider these factors when choosing SAST tools.
Supported programming languages and other security-relevant components of your stack:
- What frameworks and libraries does your application use heavily?
- How does your application handle security-critical functionality like input validation, authentication/authorization, logging, and encryption?
- How well does the tool “understand” these aspects of your codebase?
Feedback quality and interface
- Does the tool show where the issue exists in a useful way? For example, does it highlight or jump to source code lines or symbols? If the issue extends across function calls, how is this represented?
- Does the tool provide remediation guidance? Is the remediation guidance generic, or specific to the language and framework used?
- Does the tool map discovered issues onto CWE weaknesses? This enables you to track metrics about security issue types, which can guide security decision-making.
- If the tool doesn’t do these things or do them well, is it extensible so you could add this functionality?
Ruleset quality and size
- What pre-defined rulesets are available?
- What do these rules cover, and how does this coverage map onto your security requirements?
A smaller number of high-confidence rules is better than a larger number of low-confidence rules.
Execution time
- Shorter is better, you want a tight feedback loop between issue discovery and development.
- Real-time scanning is very convenient for SAST within the editor.
Required tuning
- What’s the learning curve like to write custom rules? How approachable is the rule-writing syntax?
- What aspects of the tool require engineering effort to tune?
Noisiness and allowlisting: SAST is notoriously prone to false positives, which is a major barrier to adoption.
- How does the tool handle allowlisting rules that trigger false positives?
- How are allowlists scoped? By rule, by file/directory, by project?
- Can allowlists be defined in rule or configuration files for version control and re-use? Many tools handle allowlisting via command-line parameters, necessitating a scripting layer.
Deployment and maintenance
- Where does the tool run?
- How many developers will use it?
- What time investment is needed to deploy and operate it?
- Is a licensing server or other infrastructure required?
Support and user community
- Is the tool actively maintained?
- What free or paid support options exist?
- How many people contribute to it?
- How many engineers or companies use it?
Integrations with other tools you use.
- Does the tool integrate with your existing tools such as version control or issue trackers?
- If integrations for your needs don’t exist, is the tool’s output available in an easy-to-consume format like JSON, XML, or an API? This eases integration efforts.
Source code leakage
- Does the tool upload your source code to external servers or companies?
- If your code leaves your control, what security controls protect your code with third parties?
- Are these tradeoffs acceptable for your organization’s risk tolerance?
Semgrep
Semgrep (semantic grep) stands out in a crowded field of SAST tools. It’s a fast, free (with a paid tier), open-source static analysis engine with serious benefits:
- Supports 30+ languages with stable support for widely-used languages (including Java, JavaScript, Python, Ruby, C#, Go, and PHP).
- Simpler rule-writing syntax and learning curve compared with many SAST tools. To get at sense for this check out the rule-writing docs/playground or this recorded demo.
- Security community momentum and support.
- Useful to enforce coding standards and build secure coding “guardrails” for developers. Well-written rules can detect secure coding anti-patterns, use of insecure defaults, and opportunities to write more secure code using language and framework features.
- Fully local execution: your source code is analyzed locally, and is not uploaded to servers or companies outside your control.
- Curated rulesets in the standard rules library, and a rule registry (free and paid rulesets contributed by Semgrep engineers and others).
If you’re going to choose one SAST tool, Semgrep should be near the top of your list!
Other Security Tools
Here are some well-known security tools built into major version control platforms:
- GitLab’s security features include SAST, secret scanning, IaC (infrastructure-as-code) scanning, dependency scanning, fuzzing, build-time and deploy-time container scanning, and dynamic/black-box testing for APIs and web applications.
- GitHub’s security features include SAST, secret scanning, Dependabot (auto-create pull requests to keep your software’s dependencies patched), and CodeQL (search code for bugs and security defects).
Here are some major commercial SAST tools with CI integrations:
- Coverity from Synopsys supports popular IDEs, CI systems, and covers many languages and frameworks.
- Veracode SAST has broad language support, a REST API, and a Jenkins plugin.
- Checkmarx SAST has broad language support, a CLI, a REST API, and a Jenkins plugin.
OWASP maintains a list of SAST tools, including a long tail that are specific to programming languages or frameworks.
Code Quality Tools
An ethic of craftsmanship and rigorous testing yields high-quality, reasonably-secure code. It’s worth putting effort into code quality beyond security! Security correlates strongly with other aspects of code quality:
- Testability
- Maintainability
- Readability
- Performance
- Good documentation
Check out analysis-tools.dev for a community-curated, well-organized resource to discover and compare code quality tools (mainly static analyzers, linters, and code formatters).
SonarQube stands out among code quality tools for its security-specific rules, broad language support, and numerous CI integrations.
Thanks for reading. If you like what you read, check out the next post in the series on using git hooks for security.