search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.25k stars 460 forks source link

Add more options for SAST tools #2318

Open varunsh-coder opened 1 year ago

varunsh-coder commented 1 year ago

Is your feature request related to a problem? Please describe. I would like to start a discussion to add more options for SAST tools. As of now, 3 tools are checked in the SAST check - CodeQL, LGTM, Sonar. As per this issue, LGTM is going away.

Here are some of the things to consider:

  1. Language specific tools - as an example, GoSec, and Bandit are well known tools for Go and Python respectively.
  2. Pricing - if one runs Scorecard in private repo, they might want to pass the SAST check while using free/ open source SAST tools.
  3. Specialized purpose - as an example, there are tools that specialize in scanning for secrets. This is an important check which is missing in scorecard today. Also, CIS benchmark for supply chain security, has following additional categories:
    • Scanner for CI pipelines - I think Scorecard already has checks for GitHub Actions.
    • Scanner for IaC - not sure if this is in-scope for Scorecard
    • Scanner for vulnerabilities in open source packages being used, e.g. Dependency Review Action.
    • Scanner for open source license issues

Describe the solution you'd like Would like to have a discussion to come to consensus on what additional SAST tools to add in Scorecard check. Based on the decision, those tools can then be added in the SAST check.

laurentsimon commented 1 year ago

Tools for IaC scanning:

varunsh-coder commented 1 year ago

I am starting the analysis using the table below of popular linting and security-related tools per language and using the top programming languages blog post as a way to prioritize the analysis.

I am not an expert in any of these languages or the most used linters/ security tools. This is just a way to organize the info. Please share feedback and info on other popular linters/ security tools.

Found this page on GitLab SAST that has tools with emphasis on security per language and this page with list of linters in the SuperLinter GitHub Action.

Language Popular linters Popular tools with emphasis on security
JavaScript, TypeScript ESLint CodeQL, Semgrep, ESlint security plugin
Python Pylint, flak8, black, isort CodeQL, Semgrep, Bandit
Java Checkstyle CodeQL, Semgrep
C# Rosyln analyzers CodeQL, Semgrep, security-code-scan
C, C++ cpplint CodeQL, Semgrep, Flawfinder
PHP PHP built-in linter, PHP Code sniffer, PHPStan, Psalm Semgrep, phpcs-security-audit
Ruby RuboCop CodeQL, Semgrep, brakeman
Go golangci-lint CodeQL, Semgrep, Gosec
Swift MobSF
ljharb commented 1 year ago

Ruby has Rubocop, as well.

rozhukov commented 1 year ago

Is it possible to consider scan.coverity.com (free for OSS usage) as a supported SAST for Scorecards? I know a few projects use that tool actively. Thnx.

joycebrum commented 12 months ago

Just an update on the @varunsh-coder table to also include go vet #3128

Language Popular linters Popular tools with emphasis on security
JavaScript, TypeScript ESLint CodeQL, Semgrep, ESlint security plugin
Python Pylint, flak8, black, isort CodeQL, Semgrep, Bandit
Java Checkstyle CodeQL, Semgrep
C# Rosyln analyzers CodeQL, Semgrep, security-code-scan
C, C++ cpplint CodeQL, Semgrep, Flawfinder
PHP PHP built-in linter, PHP Code sniffer, PHPStan, Psalm Semgrep, phpcs-security-audit
Ruby RuboCop CodeQL, Semgrep, brakeman
Go golangci-lint, go vet CodeQL, Semgrep, Gosec
Swift   MobSF
github-actions[bot] commented 9 months ago

Stale issue message - this issue will be closed in 7 days

rozhukov commented 9 months ago

Is it possible to consider scan.coverity.com (free for OSS usage) as a supported SAST for Scorecards? I know a few projects use that tool actively. Thnx.

I believe free Coverity could be added to the table @joycebrum mentioned for: JavaScript, Python, Java, C#, C/C++, PHP, Ruby, Go, Swift. I'm not sure about TypeScript.

laurentsimon commented 9 months ago

/cc @AdamKorcz

gabibguti commented 8 months ago

Evaluate Clippy tool used for Rust projects as a possible valid SAST tool.

Related to: https://github.com/ossf/scorecard-action/issues/1017#issuecomment-1783094528

siddharthab commented 8 months ago

Trunk Check is a very comprehensive meta-linter that covers most file types. It is a commercial offering (but free for small teams), and is in the same spirit as pre-commit.ci. We have been using it for some time and are very happy with it.

gabibguti commented 7 months ago

https://github.com/ossf/scorecard/issues/3709

github-actions[bot] commented 5 months ago

This issue is stale because it has been open for 60 days with no activity.

chgl commented 3 months ago

There's https://megalinter.io/latest/ which includes the majority (all of?) the linting tools listed in the table above. Also https://github.com/super-linter/super-linter which is comparable but with fewer linters.

github-actions[bot] commented 4 weeks ago

This issue has been marked stale because it has been open for 60 days with no activity.