I want to implement SAST on our CICD pipeline and I can't find opensource SAST tools except sonarqube. Is there any alternative tools to sonarqube?
I just want to explore other tools but can't find any opensource tools..
Is SonarQube the only open source SAST tool
725 Views Asked by Syed ayaz At
2
There are 2 best solutions below
0
ine
On
As far as I know, the only SAST scanners which are open source and support multiple languages are Semgrep and SonarQube (as opposed to eslint, Spotbugs, etc. which are typically language-specific and usually more focused on linting than security issues):
- https://github.com/semgrep/semgrep is LGPL-2.1 and supports about ~37 languages https://semgrep.dev/docs/supported-languages/
- https://github.com/SonarSource/sonarqube is LGPL 3.0.1 and supports ~34 languages https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/languages/overview/
Related Questions in SONARQUBE
- Sonarqube not allowing me to set policy for S3 bucket
- Jacoco Coverage in Multi-Module Gradle Project Not Including Submodules
- How to solve sonarqube issue based on bug to return a copy
- Java Code Coverage with both Jacoco & SonarQube
- Sonar qube i installed is not working and it show "...... Try: Checking the connection Checking the proxy and the firewall ERR_CONNECTION_REFUSED"
- SonarLint vs code error of skipping files
- Sonar qube container cannot authenticate with token
- Is there a Sonar-Elixir plugin compatible with SonarQube 10.4.1?
- Error: LinkageError occurred while loading main class org.sonarsource.scanner.cli.Main
- SonarQube: False-Positive S100 - Method names should comply with a naming convention
- Sonarcloud - Sonar warning - Accept button - "Valid issue but won't be fixed now, it's acceptable for a while."
- What refactoring should I apply on this email validation regex?
- Flutter SonarQube: "The main branch has no lines of code."
- SonarScan not recognising python code at the source directory
- How is this passing the quality gate
Related Questions in STATIC-ANALYSIS
- Ansible role analysis with Checkov - facts evaluation?
- Flutter SonarQube: "The main branch has no lines of code."
- the expressionType and includePath of CDT parser
- Adding entry to program header table
- Static checker that number of arguments to python logging matches number of placeholders
- Why am I getting this error when using dataflow in Codeql
- How to disallow exception to curly_braces_in_flow_control_structures linter rule in dart?
- Security scan flagged local variable for heap inspection in C Function
- Is it possible to use Eclipse JDT static analysis for null annotations when compiling from the command line?
- Remove directory from sonar analyzer
- Sonar qube issue in using aes-256-cbc algoritm, stating Make sure that encrypting data is safe here
- Programming language/library that uses dataflow analysis to fetch only required data from the database
- Export comments from Fortify Software Security Center
- Changing lint configuration based on Cargo profile
- Can I reproduce eslint's "prefer-object-spread" rule using ast-grep?
Related Questions in CICD
- While Running Github Actions Pipeline: No Signing Certificate "iOS Development" found: No "iOS Development" signing certificate matching team ID
- Shellscript touch command not working in jenkins pipeline
- Jenkins Docker Agent Configuration Issue: Connection Refused on Local Ubuntu Install
- Can you dynamically set a docker image LABEL to a git commit value when building an image with packer?
- Jenkins pipeline script: Accept merge request from Gitlab
- Unable to use env variable from prd environment context
- NodeJS [Errno 13] Permission denied - Azure DevOps pipleline AWS Lambda deployment
- Created Jenkins pipeline and added the script in the Pipeline Description.To check out the Project from the svn repository.NotWorking. Any Suggestion
- GitLab release-job creates a release where asset is artifacts.zip instead of concrete file
- Getting " Unauthorized Access" error in Git Actions(CI) when trying to run Fastlane(CD)
- avoid duplicated job in the gitlab-ci
- Can't figure out why the pipeline does not run
- Integrate Deployment status to Work Items in TFS
- pytest command used in gitlab CICD pipeline does not automatically pick test_* script and throws error "CoverageWarning: No data was collected."
- Jenkins install docker
Related Questions in SAST
- making android analyze with coverity sast tool
- Fortify remote scan - Jenkins
- How does Fortify calculates the "estimated remediation effort" score?
- GitHub Advanced Security for Azure DevOps PCI vulnerabilities
- `snyk-scm-contributor-count` failing to retrieve project list from github
- Nodejscan in Gitlab SAST gives no matches found
- Possible to upload/push/publish gitlab SAST (gl-sast-report) generated in Project A to Project B?
- How can I fill this YML file?
- Solve checkmarx Spring ModelView Injection
- How to perform Source Code Scanning on a code that is using RSA Key Container
- Juliet test suite result validation
- Gitlab SAST/DAST configuration for memory leaks
- SAST_EXCLUDED_PATHS wont ignore my directories
- the SAST job does not appear in Gitlab pipeline
- checkmarx: Stored Absolute Path Traversal for Files.readAllBytes and Files.readAllLines
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Sonarqube is not the only tool. However it is the most known / market leader so to speak. Other tools are e.g. Spotbugs (previsouly known as findbugs), PMD and so on. You can check this list on wiki