Add static vulnerability analysis tool (AppSec requirement)

Question

Add static vulnerability analysis tool (AppSec requirement)

Closed this issue 6 months ago · 4 comments

We should have a scanning tool enabled on the project that has a mechanism to receive and respond to alerts.

Requirements are it has good rulesets to vulnerability coverage for the language, ability to alert teams or the repository on issues, is kept uptodate with vulnerabilities as they are discovered.

Popular tools: - SonarCube, Semgrep, Drek

Answer 1 · 2024-02-19T15:08:49.000Z

for which languages is this? Rust, wrappers, both?

Answer 2 · 2024-02-19T15:18:40.000Z

for which languages is this? Rust, wrappers, both?

both

Answer 3 · 2024-02-19T15:20:30.000Z

we'll probably want to either let it scan on PRs, or scan daily. Was there a recommendation from the team?

Answer 4 · 2024-02-19T16:51:40.000Z

Regarding the tools - where did SonarQube, semgrep and drek came from? Do we have a recommendation from the AppSec? Asking because SonarQube requires a license (or running via a docker) semgrep has both a free and a paid version and Drek did not show up in any of recommended lists i found...