I'm curious if there are any other solid open-source SAST tools that I could add to my workflow, particularly to complement Semgrep and Trivy. Any recommendations?
5 Answers
Have you tried DefectDojo? It’s a great tool for vulnerability management that you can integrate into your setup without much hassle.
Just a heads up, most open-source SAST tools tend to excel in specific areas but can fall short in others. Many organizations use them for early warning signs and then turn to more comprehensive tools like Checkmarx for deeper analysis when the prioritization of findings becomes crucial.
Definitely check out the AppThreat tools. They have a family of services that can help with various aspects of security.
If you're focused on container security, I recommend looking into Echo vulnerability-free container images. They work really well with Trivy and Grype, even though they're paid—they can significantly reduce vulnerability noise and alert fatigue.
It really helps to know what stack you're working with. Using too many tools can just slow things down and create more noise. That said, I've had good experiences with Datadog's Guarddog for supply chain analysis, along with OPA for guardrails.
Related Questions
XML Signature Verifier
Voltage Divider Calculator
SSL Certificate Decoder
SQL Formatter
Online Font Playground to Test Google or Custom Fonts
File Hash Generator Online – Get Instant MD5 and SHA-256 Hashes