Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

The Open-Source Code Security Tool Roundup

This article will give you a refresher on code security and review the most popular open-source code security tools available.

Wiz Experts Team
7 minutes read

When it comes to modern development practices, security isn’t an afterthought anymore. Instead, security has taken its rightful place beside usability, performance, and cost. The elevated importance of security comes down to risk: Forgetting about it is a liability, considering no organization wants to be in the news for losing private user data.

Luckily, there are ways to mitigate risk. Code security tools start checking your code right after you write it, and leveraging them to improve your security posture doesn’t have to be expensive. Many open-source code security tools are freely available, including some created by big companies like Microsoft or security organizations like OWASP.

This article will give you a refresher on code security and review the most popular open-source code security tools available. Let’s get started.

What is code security?

Code security is achieved by following best practices and using tools that scan your code for potential vulnerabilities. The goal is to ensure you write code in a secure way.

You can achieve code security by several different means:

  • Code reviews/manual audits of each commit or your whole codebase, conducted either by your own engineers or by an external security consultant

  • Static-type systems that make writing insecure code harder

  • Code linters that enforce best practices to prevent known issues in programming languages

  • Static application security analysis (SAST) tools, which check code for known vulnerabilities

  • Audit tools that check if the code depends on third-party code with known vulnerabilities

How do code security tools work?

By comparing code you’ve written and third-party libraries you’ve used with online databases filled with known vulnerabilities, secure code review tools protect you from risks. More recent tools even spot issues by using large language models (LLMs) trained on vulnerability databases and source code that follows security best practices. 

Some tools simply list the issues they find, but most propose actionable solutions so you can fix problems immediately. Many code security tools boast easy integration as well. Combining code security scanning tools with other developer tools like IDEs, Git hooks, and CI/CD pipelines allows you to scan your code at every step of the development process.

Which open-source code security tools are available?

Now that we’ve explored what code security tools are, let’s check out the most popular ones, organized by different use cases. 

  1. Multi-language code security tools

  2. Language-specific code security tools

    1. Javascript scanners

    2. Python scanners

    3. Go Scanners

    4. Ruby scanners

    5. PHP scanners

Multi-language code security tools 

Keep in mind that while popular languages are usually supported by multi-language tools and frequently even have dedicated scanners, more obscure languages—like Elixir, PL/SQL, and Modelica—are often supported by just one tool. We’ll discuss language-specific tools after this section. But first, we’ll take a look at tools that cover multiple programming languages.

1. Semgrep

Semgrep is one of the most popular code security tools on GitHub thanks to its fast scans of code and dependencies. Semgrep is written in OCaml and is available as the open-source part of a managed service.

  • Languages supported: C#, Go, Java, JavaScript/TypeScript, JSON, PHP, Python, Ruby, Scala, Terraform, and more

  • Languages in beta: Rust and Kotlin 

  • Languages with experimental support: Bash, C/C++, Clojure, Dart, Dockerfile, Elixir, HTML, Julia, Jsonnet, Lisp, Lua, OCaml, R, Scheme, Solidity, Swift, YAML, XML, and generics (like ERB and Jinja)

2. SonarQube

SonarQube is a security scanner written in Java. The open-source community edition supports more than a dozen programming languages. 

  • Languages supported: Azure Resource Manager, AWS CloudFormation, C#, CSS, Docker, Flex, Go, HTML, Java, JavaScript/TypeScript, Kotlin, Kubernetes, PHP, Python, Ruby, Scala, Terraform, VB.NET, and XML 

More languages are supported in the paid version.

3. PMD

PMD calls itself an extensible source code analyzer. It uses JavaCC and ANTLR and supports writing queries in Java or XPath.

  • Languages supported: Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PL/SQL, Apache Velocity, HTML, XML/XSL, and Scala

4. Bearer

Bearer is a developer-friendly SAST tool that scans your code in the command line. With rules based on the OWASP Top 10 security risks and common privacy risks, Bearer allows you to filter vulnerabilities by priority. This flexibility means you can start fixing risks for sensitive data immediately before moving to less crucial problems later.

  • Languages supported: JavaScript/TypeScript, Ruby, Java, PHP, Go, and Python

5. Graudit

Graudit is a grep-based security scanner. It’s a rather basic tool but doesn’t require much technical know-how to get started. A huge benefit of Graudit is its extensive list of supported programming languages. 

  • Languages supported: ActionScript, ASP, C, COBOL, .NET, Eiffel, EXEC, Fruit, Go, Java, JavaScript/TypeScript, Nim, Perl, PHP, Python, Ruby, Scala, SPSQL, SQL, and more

6. Horusec

Horusec is a static code analysis tool that comes in multiple variants. You can run it as a CLI while coding or use an IDE plugin to get results without switching tools. It’s also available via a Docker image, offering a handy vulnerability management web UI.

  • Languages supported: C#, Java, Kotlin, Python, Ruby, Go, Terraform, Javascript/Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, and NGINX

7. Scan

Scan is a SAST scanning tool that focuses on ease of use. It’s preconfigured, so you don’t have to learn about its intricacies before getting your first report. 

  • Languages supported: Ansible, Apex, ARM, AWS, Bash, BOM, CredScan, dep-scan, Dockerfile, Go, Groovy, Java, JSP, JSON, Kotlin, Scala, Kubernetes, NodeJS, PHP, PL/SQL, Python, Ruby, Rust, Serverless, Terraform, Visualforce, Apache Velocity, and YAML

8. Betterscan

The community edition of Betterscan is open source and free to use. It’s a security tool orchestrator, meaning it uses many different tools to ensure the safety of your code, including SAST and SCA and also secrets scanning. Since Betterscan essentially wraps many other tools, it supports many languages. 

  • Languages supported: PHP, Java, Scala, Python, Perl, Ruby, .NET, C/C++, Swift, Kotlin, Apex, Javascript/Typescript, Go, Solidity, Docker, Kubernetes, and Terraform

9. Trivy

Trivy is a code scanner for infrastructure as code (IaC) definitions. Additionally, Trivy scans filesystems and images for issues.

  • Languages supported: AWS, Terraform, Kubernetes, and more

10. automated-security-helper for AWS

The automated-security-helper is a security tool orchestrator for AWS deployments. It scans different types of code files, including:

  • IaC definition languages, like CloudFormation templates, Terraform, and Dockerfiles

  • Access control definitions, like IAM policies

  • General programming languages via integrations with different scanners

Language-specific code security tools

Next, let’s review language-specific tools. In this category, each tool covers only one programming language. Since these tools are written in the same programming language they scan, you can easily extend them and fix bugs when necessary.

JavaScript scanners

Let’s start with JavaScript-specific tools.

1. nodejsscan

nodejsscan is probably the most popular SAST scanner for NodeJS applications. It runs in a Docker container and comes with various visualizations for the vulnerabilities it finds, making integration with a CI/CD pipeline easy. 

2. npm-audit

npm-audit is the staple security tool for NodeJS applications. As part of the npm package manager CLI, every NodeJS installation includes it out of the box. npm-audit automatically notifies you about security issues when you install an npm package. 

3. yarn npm audit

Yarn is an alternative CLI for npm packages. Until version 2.0.0, its audit command was called "yarn audit." It was renamed "yarn npm audit" to clarify that Yarn uses the same audit service as npm for its security checks.

Python scanners

Let’s explore Python-specific tools next.

1. Bandit

Bandit is one of the go-to security scanners for Python applications. It was developed by the Python Code Quality Authority (PyCQA), which focuses on Python code security. Bandit uses an AST scanner, allowing different plugins to enhance the spectrum of issues it can find.

2. Pyre 

Meta’s Pyre is the next big scanner for Python, and its focus is on scanning performance. Pyre analyzes code incrementally, giving feedback directly when encountering a problem, so you don’t have to wait until the end.

3. Safety CLI

Safety CLI is another security scanner for Python. Because it uses the Python vulnerability database Safety DB, it’s available only for non-commercial projects. Safety CLI suggests actionable remediations for all issues it finds.

Java scanners

Now let’s turn our attention to two Java scanners.

1. Spot Bugs

Since FindBugs, a popular code scanner, was discontinued, the still-supported fork SpotBugs is a viable alternative. Since it’s a general code quality tool, SpotBugs finds more than just security issues. You can use it as a CLI tool, within your CI/CD pipeline, or in IDEs like IntelliJ IDEA.

2. Find Security Bugs

Find Security Bugs is an add-on for SpotBugs built by OWASP to enhance its security scanning capabilities. It scans Java and Java-related languages, like Kotlin, Groovy, and Scala.

Go scanners

Now let’s look at the tools for Go.

1. golangci-lint

golangci-lint is a scanner orchestrator that runs a set of linters in parallel to ensure quick responses. It comes with a list of supported linters and allows you to write your own. 

2. gosec

The most popular security scanner for Go is gosec. It integrates with golangci-lint, so you can run it alongside other scanners it supports.

Ruby scanners

Ruby also has its own set of tools to keep your code secure.

1. Brakeman 

Brakeman is the quintessential tool for Ruby code security, used by big names like GitHub and New Relic. Brakeman conducts static analysis for security issues, and because it runs in the command line, Brakeman integrates well with CI/CD pipelines if needed. 

2. Dawn

Dawn is the alternative choice for Ruby. Dawn is more focused on web applications written in Sinatra, Padrino, and Ruby on Rails. 

PHP scanners

PHP is still one of the predominant languages for web development, so it should be no surprise that it has several tools to choose from.

1. PHP_CodeSniffer

PHP_CodeSniffer is the preeminent code scanner in the PHP ecosystem. With the phpcs-security-audit plugin, you can leverage it for security scans.

2. Psalm

Psalm is a static code analysis tool that mainly focuses on type-related bugs, but it also has a few security-related checks in place.

3. Enlightn

Enlightn is a security scanner for the Laravel web framework. It checks for performance, security, and reliability issues for your web application.

4. Security Code Scan for .NET

A popular open-source scanner for security vulnerabilities is Security Code Scan. It covers VB.NET and C#.

5. clj-holmes for Clojure

If Clojure is your thing, you’ll be happy to hear there are open-source scanners! clj-holmes is a CLI SAST scanner.

The Wiz approach to secure cloud development

Wiz offers a variety of capabilities to help developers find and fix vulnerabilities early in the development process, including:

  • Scanning code repositories for vulnerabilities and misconfigurations. This helps developers catch vulnerabilities before they can be deployed to production.

  • Tracing risks in the cloud automatically back to the code and teams that introduced them. This helps developers understand the root cause of security issues and take corrective action.

  • Providing in-code remediation guidance so developers can fix issues at the source quickly. This helps developers fix vulnerabilities quickly and easily.

  • Ensuring the integrity of container images to prevent the risk of image tampering. This helps developers ensure that their container images are not tampered with before they are deployed to production.

  • Securing your software supply chain with complete SBOM visibility without agents. This helps developers understand the components of their software supply chain and identify any security risks.

If you need end-to-end code to production solution, request a demo to see how Wiz embeds seamlessly into developer workflows, empowering you to take ownership of your security.

Secure your cloud from code to production

Learn why CISOs at the fastest growing companies choose Wiz to secure their software supply chain.

Get a demo

Continue reading

Navigating Incident Response Frameworks: A Fast-Track Guide

Wiz Experts Team

An incident response framework is a blueprint that helps organizations deal with security incidents in a structured and efficient way. It outlines the steps to take before, during, and after an incident, and assigns roles and responsibilities to different team members.

What is a Data Poisoning Attack?

Wiz Experts Team

Data poisoning is a kind of cyberattack that targets the training data used to build artificial intelligence (AI) and machine learning (ML) models.

Dark AI Explained

Wiz Experts Team

Dark AI involves the malicious use of artificial intelligence (AI) technologies to facilitate cyberattacks and data breaches. Dark AI includes both accidental and strategic weaponization of AI tools.