Want to get rid off other third party based SAST (Static application security testing) tools and want to stick with sonar even for SAST. Have seen couple of plugins on top of sonar which will fit-in for this purpose. Please help us in achieving the same. Thank you in advance.
Happy to see that you are satisfied with Sonar(Qube, I assume?).
We have been working (and continuously improving and developing) our SAST features, natively into our products (especially SonarQube): https://www.sonarqube.org/features/security/
I would recommend you to go to this link to see what we can offer into SonarQube on SAST field, depending on your program languages and then to try it
Super quick overview: you’ll find our first step in SAST via Security Hotspots in Community Edition (open source), and the next big steps like detection of injection flaws, Security reports (OWASP/SANS classification…) in our Commercial Editions (€).
Let’s try it here ! and keep in mind that we are constantly improving our tools, which could mean new rules, new vulnerabilities, new languages covered by SAST…
And last but not least, you can watch our last webinar on Security here!
Thanks for your response, Carine.
We are on Sonarcloud, SaaS based offering from sonar. What kind of security features we will be getting being an enterprise user?
Ok, if you are using SonarCloud, then you have the Security rules available in the different languages, for Security Hotspots and for detection of injection flaws.
You just have to scan your projects, after having checked that the rules are activated in your Quality Profile. You will have then vulnerabilities and security hotspots raised if you have any
Fyi, here is an “old” blogpost when we start implementing SAST in SonarCloud: