I'm searching for a solid free SAST tool that can scan my infrastructure code for potential issues and vulnerabilities. I've tried looking around, but most of the options I found aren't open source or free to use. Any recommendations?
4 Answers
Have you looked into GitHub's CodeQL? It's free for open-source projects and does a good job scanning for vulnerabilities in your codebase. Also, consider Terrascan, which is tailored for Infrastructure as Code and specializes in identifying security issues. Depending on your setup, these could be really helpful!
Trivy is a great option! It works well for various use cases and is straightforward to set up. You can check it out at trivy.dev.
Checkov is another tool you might want to explore. It could work for your needs.
+1 for Checkov! You can also pair it with Defect Dojo to manage and present the results more effectively.
In my organization, we didn't find any free tools that were approved for use. We did consider WhiteSource, but I think it doesn't focus specifically on infrastructure code.
I can confirm this too, it really does the job!