Add more options for SAST tools

[varunsh-coder]

Is your feature request related to a problem? Please describe.
I would like to start a discussion to add more options for SAST tools. As of now, 3 tools are checked in the SAST check - CodeQL, LGTM, Sonar. As per this issue, LGTM is going away.

Here are some of the things to consider:

1. Language specific tools - as an example, GoSec, and Bandit are well known tools for Go and Python respectively.
2. Pricing - if one runs Scorecard in private repo, they might want to pass the SAST check while using free/ open source SAST tools.
3. Specialized purpose - as an example, there are tools that specialize in scanning for secrets. This is an important check which is missing in scorecard today. Also, CIS benchmark for supply chain security, has following additional categories:
   • Scanner for CI pipelines - I think Scorecard already has checks for GitHub Actions.
   • Scanner for IaC - not sure if this is in-scope for Scorecard
   • Scanner for vulnerabilities in open source packages being used, e.g. Dependency Review Action.
   • Scanner for open source license issues

Describe the solution you'd like
Would like to have a discussion to come to consensus on what additional SAST tools to add in Scorecard check. Based on the decision, those tools can then be added in the SAST check.

[laurentsimon]

Tools for IaC scanning:

• https://github.com/bridgecrewio/checkov-action (https://github.com/bridgecrewio/checkov)
• https://github.com/Checkmarx/kics-github-action (https://github.com/Checkmarx/kics)
• https://github.com/aquasecurity/trivy seems to check for IaC too
• https://github.com/hadolint/hadolint for docker files

[varunsh-coder]

I am starting the analysis using the table below of popular linting and security-related tools per language and using the top programming languages blog post as a way to prioritize the analysis.

I am not an expert in any of these languages or the most used linters/ security tools. This is just a way to organize the info. Please share feedback and info on other popular linters/ security tools.

Found this page on GitLab SAST that has tools with emphasis on security per language and this page with list of linters in the SuperLinter GitHub Action.

Language	Popular linters	Popular tools with emphasis on security
JavaScript, TypeScript	ESLint	CodeQL, Semgrep, ESlint security plugin
Python	Pylint, flak8, black, isort	CodeQL, Semgrep, Bandit
Java	Checkstyle	CodeQL, Semgrep
C#	Rosyln analyzers	CodeQL, Semgrep, security-code-scan
C, C++	cpplint	CodeQL, Semgrep, Flawfinder
PHP	PHP built-in linter, PHP Code sniffer, PHPStan, Psalm	Semgrep, phpcs-security-audit
Ruby	RuboCop	CodeQL, Semgrep, brakeman
Go	golangci-lint	CodeQL, Semgrep, Gosec
Swift		MobSF

[ljharb]

Ruby has Rubocop, as well.

[rozhukov]

Is it possible to consider scan.coverity.com (free for OSS usage) as a supported SAST for Scorecards? I know a few projects use that tool actively. Thnx.

[joycebrum]

Just an update on the @varunsh-coder table to also include go vet #3128

Language	Popular linters	Popular tools with emphasis on security
JavaScript, TypeScript	ESLint	CodeQL, Semgrep, ESlint security plugin
Python	Pylint, flak8, black, isort	CodeQL, Semgrep, Bandit
Java	Checkstyle	CodeQL, Semgrep
C#	Rosyln analyzers	CodeQL, Semgrep, security-code-scan
C, C++	cpplint	CodeQL, Semgrep, Flawfinder
PHP	PHP built-in linter, PHP Code sniffer, PHPStan, Psalm	Semgrep, phpcs-security-audit
Ruby	RuboCop	CodeQL, Semgrep, brakeman
Go	golangci-lint, go vet	CodeQL, Semgrep, Gosec
Swift		MobSF

[github-actions]

Stale issue message - this issue will be closed in 7 days

[rozhukov]

Is it possible to consider scan.coverity.com (free for OSS usage) as a supported SAST for Scorecards? I know a few projects use that tool actively. Thnx.

I believe free Coverity could be added to the table @joycebrum mentioned for: JavaScript, Python, Java, C#, C/C++, PHP, Ruby, Go, Swift. I'm not sure about TypeScript.

[laurentsimon]

/cc @AdamKorcz

[gabibguti]

Evaluate Clippy tool used for Rust projects as a possible valid SAST tool.

Related to: ossf/scorecard-action#1017 (comment)

[siddharthab]

Trunk Check is a very comprehensive meta-linter that covers most file types. It is a commercial offering (but free for small teams), and is in the same spirit as pre-commit.ci. We have been using it for some time and are very happy with it.

[gabibguti]

#3709

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[chgl]

There's https://megalinter.io/latest/ which includes the majority (all of?) the linting tools listed in the table above. Also https://github.com/super-linter/super-linter which is comparable but with fewer linters.