Menu
I'm looking for a Static Application Security Testing (SAST) tool and I can't afford the commercial products (eg. Checkmarx).
SonarQube is a great static code analysis tool but I notice that there is only a few rules of the "Vulnerabilities" type ("Vulnerabilities" equals "Security", am I right?).
I plan to extend some custom plugins including a lot of vulnerabilities rules (maybe hundreds of rules for C/C++, Java, and other languages that SonarQube supports).
Is that a practicable way to make SonarQube a "Checkmarx like" tool? Or is SonarQube suitable for static security testing? (I'm not sure if Sonar Scanner is suitable for scanning security problems)
Thanks a lot!
323
yes, you are correct, SonarQube does have SAST capabilities.
Security Vulnerabilities require immediate action. SonarQube provides detailed issue descriptions and code highlights that explain why your code is at risk. Just follow the guidance, check in a fix and secure your application. Use a key length that provides enough entropy against brute-force attacks.
Static Application SecurityTesting (SAST) with. SonarQube Developer Edition.
Static Application Security Testing (SAST) is a frequently used Application Security (AppSec) tool, which scans an application's source, binary, or byte code. A white-box testing tool, it identifies the root cause of vulnerabilities and helps remediate the underlying security flaws.
There is a separate SAST tool released by OWASP team named "OWASP SonarQube". This is developed using the sonarqube tool, but as a SAST tool.
This tool can be integrated with your project build same as the SonarQube integration. So if you are familiar with SonarQube, it will be a straightforward move.
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
