OWASP DevSecOps Guideline - v-0.2
Static scanning is an important part of the proces!
Static Code Analysis or Source Code Analysis is usually part of a Code Review (white-box testing) and it is a method of computer program debugging that is done by examining the code without executing the program.
Static scanning is good way finding coding issues such as:
- Syntax violations
- Security vulnerabilities
- Programming errors
- Coding standard violations
- Undefined values
For more information about the Static Code Analysis please visit the OWASP page
To achieve a better result we can combine static security scanning and 3rd party code (open-source libraries (dependency)) scanning.
To doing this part better and more complete (prevent misconfigurations), here we can bring up IaC (Infrastructure as code) security scan too. For example check Terraform, helm, Ansible code, etc.
So according to the above lines the possible actions in this step are as follows:
- Static Code Analysis (known as SAST)
- Open-source libraries (3rd party / dependency) scanning (known as SCA)
- IaC Security scanning
Tools
-
Static Code Analysis:
- SonarQube - An open-source web-based tool, extending its coverage to more than 20 languages, and also allows a number of plugins
- Veracode - A static analysis tool that is built on the SaaS model. This tool is mainly used to analyze the code from a security point of view
- security code scan - Vulnerability Patterns Detector for C# and VB.NET
- Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
- Enlightn - A static analysis vulnerability scanner for Laravel PHP applications
- Inquisition - A set of tools for convenient technical analysis of web applications built with Ruby and Ruby on Rails. Now you don’t need to set up and configure every single gem. Use Inquisition gem instead
- CodeSweep - Static Analysis tool for GitHub that’s free to use and can scan code on pull request. Support over 20 languages and IaC (docker, k8s). VS Code version can be found here
- HCL AppScan on Cloud - SAST tool built as a service. The tool can perform traditional SAST, SCA and IaC scanning.
- Semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
- Checkmarx SAST - A static analysis security vulnerability scanner
- Fortify- A static analysis security vulnerability scanner
-
IaC scanning:
- Checkov - Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew
- ansible-lint - Best practices checker for Ansible
- puppet-lint - Check that your Puppet manifests conform to the style guide
- tfsec - Security scanner for your Terraform code
- terrascan - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure
- tflint - A Pluggable Terraform Linter