• ⚙️ Customizable configuration with rules, allowlists, and entropy checks to reduce false positives
• 📊 Flexible reporting in multiple formats (#JSON, #CSV, #JUnit, #SARIF) with custom template options
https://github.com/gitleaks/gitleaks

PVS-Studio соответствует требованиям ГОСТ Р 71207—2024 (статический анализ программного обеспечения)

Инструментальное средство PVS-Studio разрабатывается с учётом требований, предъявляемых к статическим анализаторам в ГОСТ Р 71207–2024, выявляет критические ошибки и может использоваться при разработке безопасного программного обеспечения. Рассмотрим функциональные возможности, реализованные в PVS-Studio на конец 2024 года в отношении анализа исходного кода программного обеспечения, написанного на компилируемых языках программирования C, C++, C#, Java.

https://habr.com/ru/companies/pvs-studio/articles/868578/

#pvsstudio #информационная_безопасность #статический_анализ_кода #ГОСТ_Р_712072024 #ГОСТ_Р_71207 #ГОСТ_Р_56939 #SAST #c #c++ #java #c# #си #си++ #static_code_analysis #анализ_программы #анализ_потоков_данных #контекстночувствительный_анализ #критические_ошибки #CWE #SARIF #РБПО #разработка_безопасного_ПО #использование_чувствительных_данных

TIL there is a thing called #Sarif, a Static Analysis Results Interchange Format, developed by Microsoft.
https://groups.oasis-open.org/communities/tc-community-home2?CommunityKey=c64ae352-bebf-446d-8ebf-018dc7d3eeb0

Awesome tool released by @trailofbits ✊

Streamline your static analysis triage with #SARIF Explorer

https://blog.trailofbits.com/2024/03/20/streamline-the-static-analysis-triage-process-with-sarif-explorer/

Yup. The nightly build is there. I'm pretty confident that the #automatedBuild will run too. :blobcatgiggle:

I've added #trivy #opensource #vulnerability scanner. It will run on schedule for testing and will be later included into the #cd #pipeline. The #sarif report will be attached to madnuttah bot's releases as build artifact.

#unbound #dns #dnssec #workflow #github #transparency

https://github.com/madnuttah/unbound-docker

Took some time to look into implementing a #SARIF output format option for #Regal yesterday. Regal a linter, and SARIF a standard format for static analysis, so it seemed like a reasonable thing to have. The specification however is 280 pages long! 😫 I skipped that and went straight for the libraries. Found one for #golang and had a PR up an hour later. Just a prettier way to build a struct for marshaling really, but I’ll take that over 280 pages of SHALL, MAY and MUST.

I've made a Python :python: code linting Action ▶️ for GitHub :github: Code Scanning.

It wraps up #Ruff, #Flake8, #Pylint, #Fixit2, #Mypy, #Pyright and #Pytype into an Action that uploads to Code Scanning, part of Advanced Security, the GitHub appsec platform.

ℹ️ that’s free for open source repos hosted on GitHub!

Read 📖 about it👇 on my blog:
https://lnkd.in/es_pd2W6

Try ⚙️ it👇 on the Actions ▶️ marketplace:
https://lnkd.in/ei7-H2V9

#Python #Linting #CodeQuality #Linters #SARIF #GitHubActions

I've recently started using the #SARIF Viewer extension to view #semgrep scan results in #vscode and it's awesome!

It provides a much more streamlined experience compared to what I was used to. I recommend to try it out, it might drastically improve your workflow.

https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer

I’ve released 🤲 a GitHub Action to convert Dart/Flutter analyzer output to SARIF.

That lets you upload ⬆️ the results to GitHub Advanced Security, as I show in a sample workflow.

https://github.com/advanced-security/dart-analyzer-sarif

#AppSec #Dart #Flutter #Linting #SARIF #GitHub

TIL: there is Static Analysis Results Interchange Format (#SARIF):

https://developers.redhat.com/articles/2023/05/31/improvements-static-analysis-gcc-13-compiler#sarif_output

Wondering what the benefits could be for #PHP if #Psalm and/or #PHPStan supported this.

I have a plan around #Scala :scala:

I want to statically analyse it using tools that understand #Java :java: , by decompiling the .class files that the Scala source compiles to, then analysing the decompiled Java source.

That works 💪 (on trivial stuff!) but I need to match up line numbers. Scala‘s debug output in .tasty files and some decompiler info should do, but I haven’t done it yet.

Thoughts?

Know a good static analyser for Scala that outputs SARIF?

#SAST #decompilation #SARIF

What tools / services do you use that import and do something interesting with SARIF static analysis results?

For example, GitHub Code Analysis understands SARIF. There is also a VSCode viewer plugin.

Context: thinking about adding SARIF output support to Nosey Parker, the secrets detector I'm working on: https://github.com/praetorian-inc/noseyparker

#sarif #sast #staticanalysis

ZAP Reports now support #SARIF thanks to https://github.com/de-jcup

https://www.zaproxy.org/docs/desktop/addons/report-generation/report-sarif-json/