Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TheFruityKiwi
Newcomer I
‎06-05-2023 06:01 PM
‎06-05-2023 06:01 PM

Seeking Recommendations on SAST tools?

Hey everyone!

I work for a fairly small company and we are looking at different SAST tools. We are currently using Semgrep however we have outgrown the free tier so are looking at prices of different options before proceeding with anything. 

 

Any recommendations of SAST tools that aren't overly expensive would be appreciated!

Tech Stack : iOS apps written in Obj-C; Web apps in TypeScript, JavaScript, PHP, C#; Android Apps in Kotlin,

 

GitHub Hosted.

Labels
Reply
0 Kudos
6 Replies
Caute_cautim
Community Champion
‎06-08-2023 12:16 AM
‎06-08-2023 12:16 AM

@TheFruityKiwi 

 

Hi Well you could use Open Source for starters,

 

1). https://www.aquasec.com/products/open-source-projects/

 

2). Here is a source of Opensource SAST tools based on OWASP as well - https://owasp.org/www-community/Source_Code_Analysis_Tools

 

Regards

 

Caute_Cautim

 

 

Reply
0 Kudos
TheFruityKiwi
Newcomer I
‎06-08-2023 12:52 AM
‎06-08-2023 12:52 AM

Thanks @Caute_cautim I did look at the OWASP list last time but didn't find one that suited all our projects without having to use multiple different solutions.

The aqua list looks to be mostly infrastructure scanning (Kubernetes etc), but I'll go through both lists again anyway and look. Thanks for the suggestions!

Reply
0 Kudos
sb23
Viewer
‎07-25-2023 03:18 PM
‎07-25-2023 03:18 PM

Not sure if you are still looking for answer...Did you check Sonarcube? The community edition is free.

Reply
0 Kudos
Caute_cautim
Community Champion
‎07-25-2023 10:45 PM
‎07-25-2023 10:45 PM

@sb23All Input is invaluable, it is a fast moving field.  I hadn't realised there was a community edition myself.

 

Thanks

 

Regards

 

Caute_Cautim

Reply
0 Kudos
TheFruityKiwi
Newcomer I
‎07-26-2023 03:13 PM
‎07-26-2023 03:13 PM

Always welcome new answers!

We ended up going with DeepSource. Its not free but since we only have me as the security engineer the pricing worked out best since its not based on scan number or committer number, but instead based on how many people will have access to the actual deepsource platform

Reply
ccorrea
Newcomer I
‎09-11-2023 06:47 PM
‎09-11-2023 06:47 PM

I know it is late reply as I have been away for a few months but Fortify (Microfocus) and Veracode are also suitable options. Depends of course on your company's budget, amount of users and their level of maturity on the DevSecOps approach, applications and scans frequency required to define the best return of your investment.

Reply
0 Kudos