Implement SAST tool

[JeanChristopheMorinPerso]

As part of the OpenSSF Best Practices badges, we need to add at least one SAST (Static Application Security Testing) tool.

We could take a look at https://semgrep.dev/ which provide both a free and "pro" version. The pro version is free for public open source repos. Alternatively, we could also look at https://codeql.github.com/ which is also free for open source repos.

Requirements:

• https://www.bestpractices.dev/en/projects/8389#static_analysis_common_vulnerabilities
• https://www.bestpractices.dev/en/projects/8389#static_analysis_often

[Rana-KV]

Hi @JeanChristopheMorinPerso, I'm interested to pursue this topic and work on SAST implementation. I would like to work on the Issue if it is not already taken.

[JeanChristopheMorinPerso]

Hi @Rana-KV! Nobody "started" work on this yet. I use quotes because I did start to look into semgrep to get myself more familiar with it. One of my co-maintainer (@maxnbk) also has experience with semgrep.

Do you have experience with it or with CodeQL or both? Or would like you to suggest another tool instead of these? Feel free to suggest other options and tell us how we could integrate one or multiple SAST tools in our repo!

Also, if you want to have a chat with us about this, please join us on Slack (https://slack.aswf.io, in the #rez channel).

[Rana-KV]

Hey @JeanChristopheMorinPerso and @maxnbk, I'm somewhat familiar with Semgrep and CodeQL. I've had some experience with CNCF TAG security during security assessments and came across a few SAST tools they use. I'm planning to dig up some more info on this. Also, @milind-daftari has experience with enterprise-level SAST solutions like Veracode and SonarQube, we planned to do this SAST integration together. I'll hit you up on Slack to chat more about this.