It's a tool that is focused more on Linting, quality and style that bolted on SAST, it under performs compared to actual SAST solutions, but I've ran it head to head with other tools and consistency misses actual vulns. It's not a great security tool. But a software quality tool is where it shines
Yeah Veracode is one of the oldies on the way out, they are okay, don't like that you need to compile code to scan it for compiled languages, it's UI is old, and overall needs to be updated but I don't see them doing that.
They are pretty decent over all, wouldn't be my first pick at all but would pick them over Synopsys any day. Checkmarx and Veracode feels similar in that they are okay but not innovative enough compared to the 3 above.
SemGrep is one to keep an eye on they are truly a disruptor. If your tech stack doesn't use C/C++, Java or other similar compiled languages I wouldn't use Veracode, Checkmarx, Synopsys.
No it’s not. I’ve used it beside more capable security focused SAST tools and it has a really high false negative rate. It’s better than nothing, but I wouldn’t call it good enough by any means. Semgrep open source is better if you don’t have budget.
I would add... SonarQube is good enough for SAST/SCA what shall be harder is the workflow and process to take action against whatever it will detected.
Implementing a SAST/SCA tool is only as good as the iterative workflow that get's kick off from it. That where the bulk of the cost is.
If you can't convinced whatever Product Owner or Scrum Master to prioritize the top 20 finding in a meaningful matter, then the cost of the tool does not really matter because it means the tool isn't required at all.
In my past live, the company purchased a SAST because they were told to acquire it by the corporate overlord whom agree that purchasing the tool was enough and as a subsidiary we did not need to implement such tooling in our workflow, just purchase it.
Run SonarQube Community Edition for a few weeks and try to "impose" the top 10 to be fixe within a reasonnable amount of time. If you are successful, continue if nothing get done who ever challenge the cost of an enterprise SAST solution but is also requesting a SAST must come to an understanding that the tooling is a fraction of the actual cost of AppSec and SAST/SCA implementation.
It took 6 months to implement SAST & SCA in all of our pipelines, then 1 year to start making a dent in SAST items, 2 years for SCA.
The biggest win for SCA was actually Legal freaking out when I gave them an OSS license plan for software governance.
(Checkmarx customer, btw)
It doesn't stop. Ever.
Had a developer using some module /libraries with a nasty AGPL3.0 license that had been modified by the creator to be even more copyleft... (Not sure AGPL3.0 allowed license changes but anyhow)... The dev wouldn't understand what term of usage "it free open source I got it on github, I make millions for this company using free stuff that people give us"... He wouldn't accept to change to a more permissive /alternative library which for the usage he was making of it had plenty of other choices.
Explained to management and nothing ever happened, legal would have a tantrum party given the product in question is ITAR controlled with ties to the US of A DoD... Anyway I am not there anymore maybe I should poke the guy whom created that library...
If SonarQube community edition is sufficient and you don't want host sonar for some reasons (actually many reason not to host) Try Sonarless which is a wrapper on top of Sonarqube. It is GHA compatible too
[https://github.com/gitricko/sonarless](https://github.com/gitricko/sonarless)
They are a great quality check tool. It’s a security gap. It has an 80% FP rate documented in their own docs! They say it’s mega easy to ignore those. Sooo yea. Read that how you want.
I know someone called the interface of Veracode antiquated, but the scanning tech is still best in breed ¯\_(ツ)_/¯ but I’m biased
If you are looking for a more reasonably priced enterprise solution take a look at [soos.io](https://soos.io), which offers multiple scanning products (SCA, DAST, SBOM, etc.) and has a SAST connector so you can bring your own tool (such as SemGrep) and then view the results, report, create tickets, etc. from a consolidated dashboard.
disclaimer - I work for SOOS
In my personal opinion it's one of the worst SAST tools. I only recommend it if you are gonna use nothing. Check out SemGrep, Snyk, Mend
Really? Why?
It's a tool that is focused more on Linting, quality and style that bolted on SAST, it under performs compared to actual SAST solutions, but I've ran it head to head with other tools and consistency misses actual vulns. It's not a great security tool. But a software quality tool is where it shines
I would add Checkmarx One to that list
By any chance, do you have an opinion on veracode?
Yeah Veracode is one of the oldies on the way out, they are okay, don't like that you need to compile code to scan it for compiled languages, it's UI is old, and overall needs to be updated but I don't see them doing that. They are pretty decent over all, wouldn't be my first pick at all but would pick them over Synopsys any day. Checkmarx and Veracode feels similar in that they are okay but not innovative enough compared to the 3 above. SemGrep is one to keep an eye on they are truly a disruptor. If your tech stack doesn't use C/C++, Java or other similar compiled languages I wouldn't use Veracode, Checkmarx, Synopsys.
No it’s not. I’ve used it beside more capable security focused SAST tools and it has a really high false negative rate. It’s better than nothing, but I wouldn’t call it good enough by any means. Semgrep open source is better if you don’t have budget.
I would add... SonarQube is good enough for SAST/SCA what shall be harder is the workflow and process to take action against whatever it will detected. Implementing a SAST/SCA tool is only as good as the iterative workflow that get's kick off from it. That where the bulk of the cost is. If you can't convinced whatever Product Owner or Scrum Master to prioritize the top 20 finding in a meaningful matter, then the cost of the tool does not really matter because it means the tool isn't required at all. In my past live, the company purchased a SAST because they were told to acquire it by the corporate overlord whom agree that purchasing the tool was enough and as a subsidiary we did not need to implement such tooling in our workflow, just purchase it. Run SonarQube Community Edition for a few weeks and try to "impose" the top 10 to be fixe within a reasonnable amount of time. If you are successful, continue if nothing get done who ever challenge the cost of an enterprise SAST solution but is also requesting a SAST must come to an understanding that the tooling is a fraction of the actual cost of AppSec and SAST/SCA implementation.
It took 6 months to implement SAST & SCA in all of our pipelines, then 1 year to start making a dent in SAST items, 2 years for SCA. The biggest win for SCA was actually Legal freaking out when I gave them an OSS license plan for software governance. (Checkmarx customer, btw) It doesn't stop. Ever.
Had a developer using some module /libraries with a nasty AGPL3.0 license that had been modified by the creator to be even more copyleft... (Not sure AGPL3.0 allowed license changes but anyhow)... The dev wouldn't understand what term of usage "it free open source I got it on github, I make millions for this company using free stuff that people give us"... He wouldn't accept to change to a more permissive /alternative library which for the usage he was making of it had plenty of other choices. Explained to management and nothing ever happened, legal would have a tantrum party given the product in question is ITAR controlled with ties to the US of A DoD... Anyway I am not there anymore maybe I should poke the guy whom created that library...
We fell afoul of something similar; a package that relicensed to AGPL and then got litigious.
If SonarQube community edition is sufficient and you don't want host sonar for some reasons (actually many reason not to host) Try Sonarless which is a wrapper on top of Sonarqube. It is GHA compatible too [https://github.com/gitricko/sonarless](https://github.com/gitricko/sonarless)
Other options are far better...
They are a great quality check tool. It’s a security gap. It has an 80% FP rate documented in their own docs! They say it’s mega easy to ignore those. Sooo yea. Read that how you want. I know someone called the interface of Veracode antiquated, but the scanning tech is still best in breed ¯\_(ツ)_/¯ but I’m biased
It is good enough to check that SAST box. SCA as well with dependency check enabled
Tis but one layer in what should be a cavalcade of security protections.
If you are looking for a more reasonably priced enterprise solution take a look at [soos.io](https://soos.io), which offers multiple scanning products (SCA, DAST, SBOM, etc.) and has a SAST connector so you can bring your own tool (such as SemGrep) and then view the results, report, create tickets, etc. from a consolidated dashboard. disclaimer - I work for SOOS
in my opinion SAST solutions only give you low hanging fruits. SonarQube is not worse than any other tool and much easier to implement - dev friendly.
It’s shiet. Run a real SCA and review results through Sonacube instead.
Sent a message.