A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.
-
Updated
Apr 13, 2021 - Rust
#
sast
Here are 67 public repositories matching this topic...
nodejsscan is a static security code scanner for Node.js applications.
nodejs
javascript
lint
security
node
static-analysis
code-analysis
code-review
security-scanner
devsecops
sast
node-security
nodejsscan
-
Updated
Apr 3, 2021 - CSS
williepaul
commented
Jan 15, 2021
- terrascan version: 1.2
- Operating System: all
Description
When scanning a repo, if the severity field is not all caps (HIGH|MEDIUM|LOW), when violations are output, the color of the severity field does not show up. The compare should be case-insensitive, OR we can normalize the severity field.
What I Did
terrascan scan -d [dir]
Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
ruby
kotlin
python
java
cli
golang
security
analysis
ci
cd
terraform
scanner
static-analysis
netcore
vulnerabilities
hacktoberfest
sast
security-flaws
security-development
sast-analysis
-
Updated
Apr 16, 2021 - Go
prabhu
commented
Jul 9, 2020
It will be a fun exercise to make scan work for mono repos such as https://github.com/swapnil-linux/spring-boot-examples
In theory, this can be achieved using a bit of bash with the new scan AppImage.
基于pytorch的ocr算法库,包括 psenet, pan, dbnet, sast , crnn
-
Updated
Apr 4, 2021 - C++
Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
nodejs
javascript
android
kotlin
swift
cli
ios
csharp
maven
dotnet
static-analysis
owasp
static-analyzer
android-security
ios-security
security-scanner
security-automation
security-tools
sast
insider
-
Updated
Jan 26, 2021 - Go
A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration
-
Updated
Apr 11, 2021 - Python
njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
nodejs
lint
python
security
semantic
linter
static-analysis
expressjs
jslint
static-analyzer
codereview
appsec
staticanalysis
security-tools
devsecops
sast
nodesecurity
nodejsscan
codescanner
njsscan
-
Updated
Apr 3, 2021 - JavaScript
r0hi7
commented
Jun 27, 2020
Scan the docker network for open ports and vulnerable services.
Fully open-source SAST scanner supporting a range of languages and frameworks. Integrates with major CI pipelines and IDE such as Azure DevOps, Google CloudBuild, VS Code and Visual Studio. No server required!
-
Updated
Sep 4, 2020 - Python
JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns.
-
Updated
Mar 21, 2021 - JavaScript
Generic SAST Library
security
regex
static-analyzer
appsec
codeanalysis
staticanalysis
sast
semgrep
semanticgrep
patternmatch
genericsast
libsast
-
Updated
Apr 3, 2021 - Python
Django application that performs SAST and Malware Analysis for Android APKs
docker
django
malware
django-rest-framework
apk
malware-analysis
android-security
mobile-security
virustotal
androguard
apk-analysis
sast
code-security
defect-dojo
mobile-audit
-
Updated
Apr 14, 2021 - HTML
A wrapper around Semgrep that supports running as a Github Action, in Gitlab, and other CI providers and interfacing with https://semgrep.dev
-
Updated
Apr 16, 2021 - Python
Checkmarx Scan Github Action
security
scanning
appsec
sca
sast
osa
checkmarx-sast
github-actions
checkmarx
security-vulnerabilities
checkmarx-server
-
Updated
Apr 13, 2021 - JavaScript
Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans
-
Updated
Apr 13, 2019 - Java
GitHub Action to set up Fortify ScanCentral Client
github
setup
security
static-analysis
application-security
action
appsec
fortify
sast
github-action
fortify-ssc
fortify-on-demand
-
Updated
Mar 10, 2021 - TypeScript
Clouddefense.ai is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting and other exploitable vulnerabilities.
nodejs
ruby
kotlin
java
go
swift
php
hacking
xss
penetration-testing
vulnerability-scanner
sast
dast
-
Updated
Mar 29, 2021
Curated list of security tools
kubernetes
security
list
cloud
oss
tools
osc
scanner
security-tools
devsecops
sast
dast
oss-compliance
-
Updated
Dec 9, 2020
GitHub Action to set up the Fortify on Demand (FoD) upload utility
github
setup
security
static-analysis
uploader
application-security
action
appsec
fortify
sast
github-action
fortify-on-demand
-
Updated
Mar 10, 2021 - TypeScript
Official Github Action for Insider
nodejs
javascript
android
kotlin
java
swift
csharp
dotnet
owasp
static-analyzer
security-scanner
security-tools
sast
github-actions
insider
actios
-
Updated
Apr 1, 2021 - TypeScript
Github Action for security scanning utilizing Salus by Coinbase
security
continuous-integration
static-analysis
sast
salus
security-scanning
github-actions
dependency-scanning
-
Updated
Feb 24, 2021 - Shell
Improve this page
Add a description, image, and links to the sast topic page so that developers can more easily learn about it.
Add this topic to your repo
To associate your repository with the sast topic, visit your repo's landing page and select "manage topics."
Describe the bug
According to the SARIF spec,
invocationshould be the child of arun:https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10540933
Currently
build_sarif_outputis nesting it at the root of the document, which is producing SARIF which does not conform to the specification:https://github.com/returntocorp/semgrep/blob/9a73a142dc