I'm looking for some effective SAST (Static Application Security Testing) tools to identify security vulnerabilities, especially since we currently use Snyk at work. Are there any good free options out there that can help us discover even more security issues?
4 Answers
Besides Semgrep, you might want to look into Opengrep, which is a fork that was developed this year to improve on Semgrep's offerings. Just keep in mind that free tools can require a lot of management and a solid understanding of your security goals. You'll need to make sure you have rules in place, and writing your own might be necessary if existing ones don’t fit your needs. If you're looking for advanced security issues, especially complex business logic flaws, you might end up needing to invest in a paid tool, as many free options aren't leveraging the latest AI advancements for reducing false positives.
For a more focused SAST solution, I generally recommend Amplify Security. While we aim for fewer, more accurate findings, if you’re looking for a tool with a broader range of results, Aikido offers a comprehensive suite of scanners. If you want to stick strictly to SAST, tools like ZeroPath could provide new insights that may complement what Snyk already offers. Plus, Opengrep is bundled in our platform for easy testing.
I recommend using the Google OSV scanner for Software Composition Analysis (SCA), Trivy for Infrastructure as Code (IaC) and container images, and OWASP ZAP for testing your applications.
Have you checked out Semgrep? It's a solid open-source scanner that can help you find vulnerabilities in your code.
Yeah, Semgrep is definitely worth a look!