This article will give you a refresher on code security and review the most popular open-source code security tools available.
Wiz Experts Team
7 min read
When it comes to modern development practices, security isn’t an afterthought anymore. Instead, security has taken its rightful place beside usability, performance, and cost. The elevated importance of security comes down to risk: Forgetting about it is a liability, considering no organization wants to be in the news for losing private user data.
Luckily, there are ways to mitigate risk. Code security tools start checking your code right after you write it, and leveraging them to improve your security posture doesn’t have to be expensive. Many open-source code security tools are freely available, including some created by big companies like Microsoft or security organizations like OWASP.
This article will give you a refresher on code security and review the most popular open-source code security tools available. Let’s get started.
Code security is achieved by following best practices and using tools that scan your code for potential vulnerabilities. The goal is to ensure you write code in a secure way.
You can achieve code security by several different means:
Code reviews/manual audits of each commit or your whole codebase, conducted either by your own engineers or by an external security consultant
Static-type systems that make writing insecure code harder
Code linters that enforce best practices to prevent known issues in programming languages
Static application security analysis (SAST) tools, which check code for known vulnerabilities
Audit tools that check if the code depends on third-party code with known vulnerabilities
How do code security tools work?
By comparing code you’ve written and third-party libraries you’ve used with online databases filled with known vulnerabilities, secure code review tools protect you from risks. More recent tools even spot issues by using large language models (LLMs) trained on vulnerability databases and source code that follows security best practices.
Some tools simply list the issues they find, but most propose actionable solutions so you can fix problems immediately. Many code security tools boast easy integration as well. Combining code security scanning tools with other developer tools like IDEs, Git hooks, and CI/CD pipelines allows you to scan your code at every step of the development process.
Keep in mind that while popular languages are usually supported by multi-language tools and frequently even have dedicated scanners, more obscure languages—like Elixir, PL/SQL, and Modelica—are often supported by just one tool. We’ll discuss language-specific tools after this section. But first, we’ll take a look at tools that cover multiple programming languages.
1. Semgrep
Semgrep is one of the most popular code security tools on GitHub thanks to its fast scans of code and dependencies. Semgrep is written in OCaml and is available as the open-source part of a managed service.
Languages supported: C#, Go, Java, JavaScript/TypeScript, JSON, PHP, Python, Ruby, Scala, Terraform, and more
Languages in beta: Rust and Kotlin
Languages with experimental support: Bash, C/C++, Clojure, Dart, Dockerfile, Elixir, HTML, Julia, Jsonnet, Lisp, Lua, OCaml, R, Scheme, Solidity, Swift, YAML, XML, and generics (like ERB and Jinja)
2. SonarQube
SonarQube is a security scanner written in Java. The open-source community edition supports more than a dozen programming languages.
Languages supported: Azure Resource Manager, AWS CloudFormation, C#, CSS, Docker, Flex, Go, HTML, Java, JavaScript/TypeScript, Kotlin, Kubernetes, PHP, Python, Ruby, Scala, Terraform, VB.NET, and XML
More languages are supported in the paid version.
3. PMD
PMD calls itself an extensible source code analyzer. It uses JavaCC and ANTLR and supports writing queries in Java or XPath.
Languages supported: Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PL/SQL, Apache Velocity, HTML, XML/XSL, and Scala
Bearer is a developer-friendly SAST tool that scans your code in the command line. With rules based on the OWASP Top 10 security risks and common privacy risks, Bearer allows you to filter vulnerabilities by priority. This flexibility means you can start fixing risks for sensitive data immediately before moving to less crucial problems later.
Languages supported: JavaScript/TypeScript, Ruby, Java, PHP, Go, and Python
5. Graudit
Graudit is a grep-based security scanner. It’s a rather basic tool but doesn’t require much technical know-how to get started. A huge benefit of Graudit is its extensive list of supported programming languages.
Languages supported: ActionScript, ASP, C, COBOL, .NET, Eiffel, EXEC, Fruit, Go, Java, JavaScript/TypeScript, Nim, Perl, PHP, Python, Ruby, Scala, SPSQL, SQL, and more
6. Horusec
Horusec is a static code analysis tool that comes in multiple variants. You can run it as a CLI while coding or use an IDE plugin to get results without switching tools. It’s also available via a Docker image, offering a handy vulnerability management web UI.
Languages supported: C#, Java, Kotlin, Python, Ruby, Go, Terraform, Javascript/Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, and NGINX
7. Scan
Scan is a SAST scanning tool that focuses on ease of use. It’s preconfigured, so you don’t have to learn about its intricacies before getting your first report.
The community edition of Betterscan is open source and free to use. It’s a security tool orchestrator, meaning it uses many different tools to ensure the safety of your code, including SAST and SCA and also secrets scanning. Since Betterscan essentially wraps many other tools, it supports many languages.
Languages supported: PHP, Java, Scala, Python, Perl, Ruby, .NET, C/C++, Swift, Kotlin, Apex, Javascript/Typescript, Go, Solidity, Docker, Kubernetes, and Terraform
9. Trivy
Trivy is a code scanner for infrastructure as code (IaC) definitions. Additionally, Trivy scans filesystems and images for issues.
Languages supported: AWS, Terraform, Kubernetes, and more
The automated-security-helper is a security tool orchestrator for AWS deployments. It scans different types of code files, including:
IaC definition languages, like CloudFormation templates, Terraform, and Dockerfiles
Access control definitions, like IAM policies
General programming languages via integrations with different scanners
Language-specific code security tools
Next, let’s review language-specific tools. In this category, each tool covers only one programming language. Since these tools are written in the same programming language they scan, you can easily extend them and fix bugs when necessary.
JavaScript scanners
Let’s start with JavaScript-specific tools.
1. nodejsscan
nodejsscan is probably the most popular SAST scanner for NodeJS applications. It runs in a Docker container and comes with various visualizations for the vulnerabilities it finds, making integration with a CI/CD pipeline easy.
2. npm-audit
npm-audit is the staple security tool for NodeJS applications. As part of the npm package manager CLI, every NodeJS installation includes it out of the box. npm-audit automatically notifies you about security issues when you install an npm package.
3. yarn npm audit
Yarn is an alternative CLI for npm packages. Until version 2.0.0, its audit command was called "yarn audit." It was renamed "yarn npm audit" to clarify that Yarn uses the same audit service as npm for its security checks.
Bandit is one of the go-to security scanners for Python applications. It was developed by the Python Code Quality Authority (PyCQA), which focuses on Python code security. Bandit uses an AST scanner, allowing different plugins to enhance the spectrum of issues it can find.
2. Pyre
Meta’s Pyre is the next big scanner for Python, and its focus is on scanning performance. Pyre analyzes code incrementally, giving feedback directly when encountering a problem, so you don’t have to wait until the end.
3. Safety CLI
Safety CLI is another security scanner for Python. Because it uses the Python vulnerability database Safety DB, it’s available only for non-commercial projects. Safety CLI suggests actionable remediations for all issues it finds.
Java scanners
Now let’s turn our attention to two Java scanners.
1. Spot Bugs
Since FindBugs, a popular code scanner, was discontinued, the still-supported fork SpotBugs is a viable alternative. Since it’s a general code quality tool, SpotBugs finds more than just security issues. You can use it as a CLI tool, within your CI/CD pipeline, or in IDEs like IntelliJ IDEA.
2. Find Security Bugs
Find Security Bugs is an add-on for SpotBugs built by OWASP to enhance its security scanning capabilities. It scans Java and Java-related languages, like Kotlin, Groovy, and Scala.
Go scanners
Now let’s look at the tools for Go.
1. golangci-lint
golangci-lint is a scanner orchestrator that runs a set of linters in parallel to ensure quick responses. It comes with a list of supported linters and allows you to write your own.
2. gosec
The most popular security scanner for Go is gosec. It integrates with golangci-lint, so you can run it alongside other scanners it supports.
Ruby scanners
Ruby also has its own set of tools to keep your code secure.
1. Brakeman
Brakeman is the quintessential tool for Ruby code security, used by big names like GitHub and New Relic. Brakeman conducts static analysis for security issues, and because it runs in the command line, Brakeman integrates well with CI/CD pipelines if needed.
Scanning code repositories for vulnerabilities and misconfigurations. This helps developers catch vulnerabilities before they can be deployed to production.
Tracing risks in the cloud automatically back to the code and teams that introduced them. This helps developers understand the root cause of security issues and take corrective action.
Providing in-code remediation guidance so developers can fix issues at the source quickly. This helps developers fix vulnerabilities quickly and easily.
Ensuring the integrity of container images to prevent the risk of image tampering. This helps developers ensure that their container images are not tampered with before they are deployed to production.
Securing your software supply chain with complete SBOM visibility without agents. This helps developers understand the components of their software supply chain and identify any security risks.
If you need end-to-end code to production solution, request a demo to see how Wiz embeds seamlessly into developer workflows, empowering you to take ownership of your security.
Secure your cloud from code to production
Learn why CISOs at the fastest growing companies choose Wiz to secure their software supply chain.
Container monitoring is the process of collecting, analyzing, and reporting metrics and data related to the performance and health of containerized applications and their hosting environments.
Kubernetes role-based access control (RBAC) serves as a foundational security layer within Kubernetes. It is essential for regulating access to the K8s API and its resources, allowing organizations to define user roles with specific permissions to effectively control who can see or interact with what resources within a cluster.
A cloud workload protection platform (CWPP) is a security solution that provides continuous threat monitoring and protection for cloud workloads across different types of cloud environments.