Source Code Scanners (SAST)¶
SAST scanners operate by analyzing the source code of an application without executing it, comprehensively examining each line and identifying potential security flaws, such as injection vulnerabilities, insecure configurations, or authentication weaknesses. By scanning the source code directly, SAST tools can uncover vulnerabilities early in the development lifecycle, enabling proactive remediation and reducing the likelihood of security breaches in production environments.
BoostSecurity offers a suite of SAST scanners tailored to different programming languages and frameworks, providing comprehensive coverage across diverse technology stacks. These scanners integrate seamlessly into the CI/CD pipeline, automatically analyzing code changes and providing actionable insights to developers within their familiar development environments.
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Boost Native Scanner | boostsecurityio/native-scanner | yes | - | The BoostSecurity provided scanner, which leverages several open source and homegrown security checks with curated rules. Supports scanning for multiple languages |
| Brakeman | boostsecurityio/brakeman | yes | - | The Brakeman module scans Ruby source code for vulnerabilities, leveraging the latest version of brakeman from presidentbeef/brakeman |
| Checkov | boostsecurityio/checkov | yes | - | The Checkov module scans source code for vulnerabilities, leveraging the checkov scanner from bridgecrew/checkov |
| Semgrep | boostsecurityio/semgrep | yes | - | The Semgrep module scans source code for vulnerabilities, supporting various programming languages. The module leverages semgrep version 0.112 from returntocorp/semgrep |
| GoSec | boostsecurityio/gosec | yes | - | The GoSec module scans source code for vulnerabilities, for GoLang programming language. The module leverages gosec from securego/gosec |
| CodeQL | boostsecurityio/codeql | yes | CODEQL_LANGUAGE | The CodeQL module scans source code for vulnerabilities, supporting various programming languages. The module leverages CodeQL from Github. The environment variable CODEQL_LANGUAGE needs to be set to the programming language being scanned. |