cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TheFruityKiwi
Newcomer I

Seeking Recommendations on SAST tools?

Hey everyone!

I work for a fairly small company and we are looking at different SAST tools. We are currently using Semgrep however we have outgrown the free tier so are looking at prices of different options before proceeding with anything. 

 

Any recommendations of SAST tools that aren't overly expensive would be appreciated!

Tech Stack : iOS apps written in Obj-C; Web apps in TypeScript, JavaScript, PHP, C#; Android Apps in Kotlin,

 

GitHub Hosted.

6 Replies
Caute_cautim
Community Champion

@TheFruityKiwi 

 

Hi Well you could use Open Source for starters,

 

1). https://www.aquasec.com/products/open-source-projects/

 

2). Here is a source of Opensource SAST tools based on OWASP as well - https://owasp.org/www-community/Source_Code_Analysis_Tools

 

Regards

 

Caute_Cautim

 

 

TheFruityKiwi
Newcomer I

Thanks @Caute_cautim I did look at the OWASP list last time but didn't find one that suited all our projects without having to use multiple different solutions.

The aqua list looks to be mostly infrastructure scanning (Kubernetes etc), but I'll go through both lists again anyway and look. Thanks for the suggestions!

sb23
Viewer

Not sure if you are still looking for answer...Did you check Sonarcube? The community edition is free.

Caute_cautim
Community Champion

@sb23All Input is invaluable, it is a fast moving field.  I hadn't realised there was a community edition myself.

 

Thanks

 

Regards

 

Caute_Cautim

TheFruityKiwi
Newcomer I

Always welcome new answers!

We ended up going with DeepSource. Its not free but since we only have me as the security engineer the pricing worked out best since its not based on scan number or committer number, but instead based on how many people will have access to the actual deepsource platform

ccorrea
Newcomer I

I know it is late reply as I have been away for a few months but Fortify (Microfocus) and Veracode are also suitable options. Depends of course on your company's budget, amount of users and their level of maturity on the DevSecOps approach, applications and scans frequency required to define the best return of your investment.