SARIF eco-system information

[Michael Fanning <Michael.Fanning@microsoft.com>]

Eddy and I, working with GitHub, have created a working list of direct SARIF producers.

MicroFocus and GrammaTech support is conspicuously absent: we will be soliciting appropriate representation in this list on the TC call today.

MCF

 

         BinSkim is a binary-level security checker that validates Window, Mac and *nix binaries. 

         Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.  

         Checkstyle is a Java style guidelines checking. 

         CodeQL is a multilanguage, intraprocedural checker with a large rule set. 

         Clang Analyzer, the LLVM C/C++ checker, has added SARIF export. 

         CredScan is a file scanner that detects plaintext secrets. 

         DartAnalyzer is a dart/flutter analyzer. 

         Detekt is a static code analysis tool for the Kotlin programming language.  

         DevSkim is a set of IDE checkers and language analyzers that provide inline security analysis. 

         Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. 

         ESLint Sarif Formatter enables SARIF export for ESLint, a _javascript_ static analyzer. 

         Flawfinderâis a C/C++ source code security checker. 

         GoSec is a GoLang security checker. 

         Kubesec, backed by ControlPlane.io provides Security risk analysis for Kubernetes resources. 

         MobSF is is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.  

         NodeJSScan is a Static security code scanner (SAST) for Node.js applications. 

         Psalm is an open source tool for finding security vulnerabilities in PHP. 

         PMD is a multilanguage source code analyzer. 

         PSScriptAnalyzer is a static code checker for PowerShell modules and scripts 

         PREfast is the C/C++ correctness checker behind the Microsoft compiler /analyze switch. 

         Roslyn is a platform for analyzing and rewriting C#/VB.NET code. 

         Sarif Pattern Matcherâis a security-focused pattern matcher that detects (and in some cases authenticates) plaintext secrets, sensitive data, etc. 

         Security Code Scan is a Vulnerability Patterns Detector for C# and VB.NET. 

         Semgrep, sponsored by R2C, supports a variety of languages. 

         Soblow is the security-focused static analyzer for the Elixir Phoenix Framework. 

         SpotBugs is a Java code checker. 

         TFSec uses static analysis of your terraform templates to spot potential security issues. 

         Trivy is a vulnerability scanner for containers and other artifacts.