This article will give you a refresher on code security and review the most popular open-source code security tools available.
Wiz Experts Team
8 min read
When it comes to modern development practices, security isn’t an afterthought anymore. Instead, security has taken its rightful place beside usability, performance, and cost. The elevated importance of security comes down to risk: Forgetting about it is a liability, considering no organization wants to be in the news for losing private user data.
Luckily, there are ways to mitigate risk. Code security tools start checking your code right after you write it, and leveraging them to improve your security posture doesn’t have to be expensive. Many open-source code security tools are freely available, including some created by big companies like Microsoft or security organizations like OWASP.
This article will give you a refresher on code security and review the most popular open-source code security tools available. Let’s get started.
Code security is achieved by following best practices and using tools that scan your code for potential vulnerabilities. The goal is to ensure you write code in a secure way.
You can achieve code security by several different means:
Code reviews/manual audits of each commit or your whole codebase, conducted either by your own engineers or by an external security consultant
Static-type systems that make writing insecure code harder
Code linters that enforce best practices to prevent known issues in programming languages
Static application security analysis (SAST) tools, which check code for known vulnerabilities
Audit tools that check if the code depends on third-party code with known vulnerabilities
How do code security tools work?
By comparing code you’ve written and third-party libraries you’ve used with online databases filled with known vulnerabilities, secure code review tools protect you from risks. More recent tools even spot issues by using large language models (LLMs) trained on vulnerability databases and source code that follows security best practices.
Some tools simply list the issues they find, but most propose actionable solutions so you can fix problems immediately. Many code security tools boast easy integration as well. Combining code security scanning tools with other developer tools like IDEs, Git hooks, and CI/CD pipelines allows you to scan your code at every step of the development process.
Keep in mind that while popular languages are usually supported by multi-language tools and frequently even have dedicated scanners, more obscure languages—like Elixir, PL/SQL, and Modelica—are often supported by just one tool. We’ll discuss language-specific tools after this section. But first, we’ll take a look at tools that cover multiple programming languages.
Semgrep is one of the most popular code security tools on GitHub thanks to its fast scans of code and dependencies. Semgrep is written in OCaml and is available as the open-source part of a managed service.
Languages in beta: Rust and Kotlin
Languages with experimental support: Bash, C/C++, Clojure, Dart, Dockerfile, Elixir, HTML, Julia, Jsonnet, Lisp, Lua, OCaml, R, Scheme, Solidity, Swift, YAML, XML, and generics (like ERB and Jinja)
SonarQube is a security scanner written in Java. The open-source community edition supports more than a dozen programming languages.
More languages are supported in the paid version.
PMD calls itself an extensible source code analyzer. It uses JavaCC and ANTLR and supports writing queries in Java or XPath.
Bearer is a developer-friendly SAST tool that scans your code in the command line. With rules based on the OWASP Top 10 security risks and common privacy risks, Bearer allows you to filter vulnerabilities by priority. This flexibility means you can start fixing risks for sensitive data immediately before moving to less crucial problems later.
Graudit is a grep-based security scanner. It’s a rather basic tool but doesn’t require much technical know-how to get started. A huge benefit of Graudit is its extensive list of supported programming languages.
Horusec is a static code analysis tool that comes in multiple variants. You can run it as a CLI while coding or use an IDE plugin to get results without switching tools. It’s also available via a Docker image, offering a handy vulnerability management web UI.
Scan is a SAST scanning tool that focuses on ease of use. It’s preconfigured, so you don’t have to learn about its intricacies before getting your first report.
The community edition of Betterscan is open source and free to use. It’s a security tool orchestrator, meaning it uses many different tools to ensure the safety of your code, including SAST and SCA and also secrets scanning. Since Betterscan essentially wraps many other tools, it supports many languages.
Trivy is a code scanner for infrastructure as code (IaC) definitions. Additionally, Trivy scans filesystems and images for issues.
Languages supported: AWS, Terraform, Kubernetes, and more
The automated-security-helper is a security tool orchestrator for AWS deployments. It scans different types of code files, including:
IaC definition languages, like CloudFormation templates, Terraform, and Dockerfiles
Access control definitions, like IAM policies
General programming languages via integrations with different scanners
Language-specific code security tools
Next, let’s review language-specific tools. In this category, each tool covers only one programming language. Since these tools are written in the same programming language they scan, you can easily extend them and fix bugs when necessary.
nodejsscan is probably the most popular SAST scanner for NodeJS applications. It runs in a Docker container and comes with various visualizations for the vulnerabilities it finds, making integration with a CI/CD pipeline easy.
npm-audit is the staple security tool for NodeJS applications. As part of the npm package manager CLI, every NodeJS installation includes it out of the box. npm-audit automatically notifies you about security issues when you install an npm package.
3. yarn npm audit
Yarn is an alternative CLI for npm packages. Until version 2.0.0, its audit command was called "yarn audit." It was renamed "yarn npm audit" to clarify that Yarn uses the same audit service as npm for its security checks.
Bandit is one of the go-to security scanners for Python applications. It was developed by the Python Code Quality Authority (PyCQA), which focuses on Python code security. Bandit uses an AST scanner, allowing different plugins to enhance the spectrum of issues it can find.
Meta’s Pyre is the next big scanner for Python, and its focus is on scanning performance. Pyre analyzes code incrementally, giving feedback directly when encountering a problem, so you don’t have to wait until the end.
3. Safety CLI
Safety CLI is another security scanner for Python. Because it uses the Python vulnerability database Safety DB, it’s available only for non-commercial projects. Safety CLI suggests actionable remediations for all issues it finds.
Now let’s turn our attention to two Java scanners.
1. Spot Bugs
Since FindBugs, a popular code scanner, was discontinued, the still-supported fork SpotBugs is a viable alternative. Since it’s a general code quality tool, SpotBugs finds more than just security issues. You can use it as a CLI tool, within your CI/CD pipeline, or in IDEs like IntelliJ IDEA.
2. Find Security Bugs
Find Security Bugs is an add-on for SpotBugs built by OWASP to enhance its security scanning capabilities. It scans Java and Java-related languages, like Kotlin, Groovy, and Scala.
The most popular security scanner for Go is gosec. It integrates with golangci-lint, so you can run it alongside other scanners it supports.
Ruby also has its own set of tools to keep your code secure.
Brakeman is the quintessential tool for Ruby code security, used by big names like GitHub and New Relic. Brakeman conducts static analysis for security issues, and because it runs in the command line, Brakeman integrates well with CI/CD pipelines if needed.
Scanning code repositories for vulnerabilities and misconfigurations. This helps developers catch vulnerabilities before they can be deployed to production.
Tracing risks in the cloud automatically back to the code and teams that introduced them. This helps developers understand the root cause of security issues and take corrective action.
Providing in-code remediation guidance so developers can fix issues at the source quickly. This helps developers fix vulnerabilities quickly and easily.
Ensuring the integrity of container images to prevent the risk of image tampering. This helps developers ensure that their container images are not tampered with before they are deployed to production.
Securing your software supply chain with complete SBOM visibility without agents. This helps developers understand the components of their software supply chain and identify any security risks.
This blog post explores the world of container orchestration tools beyond Kubernetes, highlighting cloud provider tools and open-source alternatives that promise to redefine how we deploy and manage applications.
Microservices security is the practice of protecting individual microservices and their communication channels from unauthorized access, data breaches, and other threats, ensuring a secure overall architecture despite its distributed nature.
We’ll take a deep dive into the MLSecOps tools landscape by reviewing the five foundational areas of MLSecOps, exploring the growing importance of MLSecOps for organizations, and introducing six interesting open-source tools to check out
CSPM focuses on securing cloud infrastructure by identifying and remediating misconfigurations, while CIEM centers on managing and securing user identities and access permissions within cloud environments, addressing threats related to unauthorized access and entitlements.