I work for a fairly small company and we are looking at different SAST tools. We are currently using Semgrep however we have outgrown the free tier so are looking at prices of different options before proceeding with anything.
Any recommendations of SAST tools that aren't overly expensive would be appreciated!
Hi Well you could use Open Source for starters,
2). Here is a source of Opensource SAST tools based on OWASP as well - https://owasp.org/www-community/Source_Code_Analysis_Tools
Thanks @Caute_cautim I did look at the OWASP list last time but didn't find one that suited all our projects without having to use multiple different solutions.
The aqua list looks to be mostly infrastructure scanning (Kubernetes etc), but I'll go through both lists again anyway and look. Thanks for the suggestions!
Always welcome new answers!
We ended up going with DeepSource. Its not free but since we only have me as the security engineer the pricing worked out best since its not based on scan number or committer number, but instead based on how many people will have access to the actual deepsource platform
I know it is late reply as I have been away for a few months but Fortify (Microfocus) and Veracode are also suitable options. Depends of course on your company's budget, amount of users and their level of maturity on the DevSecOps approach, applications and scans frequency required to define the best return of your investment.