scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard

Published 20 hours ago verified publisher icon ossf

Add more options for SAST tools

Open varunsh-coder opened this issue 3 years ago • 15 comments

Is your feature request related to a problem? Please describe. I would like to start a discussion to add more options for SAST tools. As of now, 3 tools are checked in the SAST check - CodeQL, LGTM, Sonar. As per this issue, LGTM is going away.

Here are some of the things to consider:

  1. Language specific tools - as an example, GoSec, and Bandit are well known tools for Go and Python respectively.
  2. Pricing - if one runs Scorecard in private repo, they might want to pass the SAST check while using free/ open source SAST tools.
  3. Specialized purpose - as an example, there are tools that specialize in scanning for secrets. This is an important check which is missing in scorecard today. Also, CIS benchmark for supply chain security, has following additional categories:
    • Scanner for CI pipelines - I think Scorecard already has checks for GitHub Actions.
    • Scanner for IaC - not sure if this is in-scope for Scorecard
    • Scanner for vulnerabilities in open source packages being used, e.g. Dependency Review Action.
    • Scanner for open source license issues

Describe the solution you'd like Would like to have a discussion to come to consensus on what additional SAST tools to add in Scorecard check. Based on the decision, those tools can then be added in the SAST check.

varunsh-coder avatar Sep 30 '22 19:09 varunsh-coder

Tools for IaC scanning:

  • [ ] https://github.com/bridgecrewio/checkov-action (https://github.com/bridgecrewio/checkov)
  • [ ] https://github.com/Checkmarx/kics-github-action (https://github.com/Checkmarx/kics)
  • [ ] https://github.com/aquasecurity/trivy seems to check for IaC too
  • [ ] https://github.com/hadolint/hadolint for docker files

laurentsimon avatar Dec 19 '22 16:12 laurentsimon

I am starting the analysis using the table below of popular linting and security-related tools per language and using the top programming languages blog post as a way to prioritize the analysis.

I am not an expert in any of these languages or the most used linters/ security tools. This is just a way to organize the info. Please share feedback and info on other popular linters/ security tools.

Found this page on GitLab SAST that has tools with emphasis on security per language and this page with list of linters in the SuperLinter GitHub Action.

Language Popular linters Popular tools with emphasis on security
JavaScript, TypeScript ESLint CodeQL, Semgrep, ESlint security plugin
Python Pylint, flak8, black, isort CodeQL, Semgrep, Bandit
Java Checkstyle CodeQL, Semgrep
C# Rosyln analyzers CodeQL, Semgrep, security-code-scan
C, C++ cpplint CodeQL, Semgrep, Flawfinder
PHP PHP built-in linter, PHP Code sniffer, PHPStan, Psalm Semgrep, phpcs-security-audit
Ruby RuboCop CodeQL, Semgrep, brakeman
Go golangci-lint CodeQL, Semgrep, Gosec
Swift MobSF

varunsh-coder avatar Apr 15 '23 17:04 varunsh-coder

Ruby has Rubocop, as well.

ljharb avatar Apr 15 '23 19:04 ljharb

Is it possible to consider scan.coverity.com (free for OSS usage) as a supported SAST for Scorecards? I know a few projects use that tool actively. Thnx.

rozhukov avatar Jun 19 '23 13:06 rozhukov

Just an update on the @varunsh-coder table to also include go vet #3128

Language Popular linters Popular tools with emphasis on security
JavaScript, TypeScript ESLint CodeQL, Semgrep, ESlint security plugin
Python Pylint, flak8, black, isort CodeQL, Semgrep, Bandit
Java Checkstyle CodeQL, Semgrep
C# Rosyln analyzers CodeQL, Semgrep, security-code-scan
C, C++ cpplint CodeQL, Semgrep, Flawfinder
PHP PHP built-in linter, PHP Code sniffer, PHPStan, Psalm Semgrep, phpcs-security-audit
Ruby RuboCop CodeQL, Semgrep, brakeman
Go golangci-lint, go vet CodeQL, Semgrep, Gosec
Swift   MobSF

joycebrum avatar Jul 07 '23 18:07 joycebrum

Stale issue message - this issue will be closed in 7 days

github-actions[bot] avatar Sep 21 '23 01:09 github-actions[bot]

Is it possible to consider scan.coverity.com (free for OSS usage) as a supported SAST for Scorecards? I know a few projects use that tool actively. Thnx.

I believe free Coverity could be added to the table @joycebrum mentioned for: JavaScript, Python, Java, C#, C/C++, PHP, Ruby, Go, Swift. I'm not sure about TypeScript.

rozhukov avatar Sep 21 '23 13:09 rozhukov

/cc @AdamKorcz

laurentsimon avatar Sep 22 '23 00:09 laurentsimon

Evaluate Clippy tool used for Rust projects as a possible valid SAST tool.

Related to: https://github.com/ossf/scorecard-action/issues/1017#issuecomment-1783094528

gabibguti avatar Oct 27 '23 15:10 gabibguti

Trunk Check is a very comprehensive meta-linter that covers most file types. It is a commercial offering (but free for small teams), and is in the same spirit as pre-commit.ci. We have been using it for some time and are very happy with it.

siddharthab avatar Oct 30 '23 22:10 siddharthab

https://github.com/ossf/scorecard/issues/3709

gabibguti avatar Nov 30 '23 13:11 gabibguti

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jan 30 '24 01:01 github-actions[bot]

There's https://megalinter.io/latest/ which includes the majority (all of?) the linting tools listed in the table above. Also https://github.com/super-linter/super-linter which is comparable but with fewer linters.

chgl avatar Apr 01 '24 14:04 chgl

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jun 03 '24 01:06 github-actions[bot]