The Secure Coding Best Practices [Cheat Sheet]

Unlock quick recommendations to fortify your code against vulnerabilities. This quick-reference guide is packed with actionable insights to help developers avoid common security pitfalls and build resilient applications.

The Open-Source Code Security Tool Roundup

This article will give you a refresher on code security and review the most popular open-source code security tools available.

Wiz Experts Team
7 minutes read

When it comes to modern development practices, security isn’t an afterthought anymore. Instead, security has taken its rightful place beside usability, performance, and cost. The elevated importance of security comes down to risk: Forgetting about it is a liability, considering no organization wants to be in the news for losing private user data.

Luckily, there are ways to mitigate risk. Code security tools start checking your code right after you write it, and leveraging them to improve your security posture doesn’t have to be expensive. Many open-source code security tools are freely available, including some created by big companies like Microsoft or security organizations like OWASP.

This article will give you a refresher on code security and review the most popular open-source code security tools available. Let’s get started.

What is code security?

Code security is achieved by following best practices and using tools that scan your code for potential vulnerabilities. The goal is to ensure you write code in a secure way.

You can achieve code security by several different means:

  • Code reviews/manual audits of each commit or your whole codebase, conducted either by your own engineers or by an external security consultant

  • Static-type systems that make writing insecure code harder

  • Code linters that enforce best practices to prevent known issues in programming languages

  • Static application security analysis (SAST) tools, which check code for known vulnerabilities

  • Audit tools that check if the code depends on third-party code with known vulnerabilities

How do code security tools work?

By comparing code you’ve written and third-party libraries you’ve used with online databases filled with known vulnerabilities, secure code review tools protect you from risks. More recent tools even spot issues by using large language models (LLMs) trained on vulnerability databases and source code that follows security best practices. 

Some tools simply list the issues they find, but most propose actionable solutions so you can fix problems immediately. Many code security tools boast easy integration as well. Combining code security scanning tools with other developer tools like IDEs, Git hooks, and CI/CD pipelines allows you to scan your code at every step of the development process.

Which open-source code security tools are available?

Now that we’ve explored what code security tools are, let’s check out the most popular ones, organized by different use cases. 

  1. Multi-language code security tools

  2. Language-specific code security tools

    1. Javascript scanners

    2. Python scanners

    3. Go Scanners

    4. Ruby scanners

    5. PHP scanners

Multi-language code security tools 

Keep in mind that while popular languages are usually supported by multi-language tools and frequently even have dedicated scanners, more obscure languages—like Elixir, PL/SQL, and Modelica—are often supported by just one tool. We’ll discuss language-specific tools after this section. But first, we’ll take a look at tools that cover multiple programming languages.

1. Semgrep

Semgrep is one of the most popular code security tools on GitHub thanks to its fast scans of code and dependencies. Semgrep is written in OCaml and is available as the open-source part of a managed service.

  • Languages supported: C#, Go, Java, JavaScript/TypeScript, JSON, PHP, Python, Ruby, Scala, Terraform, and more

  • Languages in beta: Rust and Kotlin 

  • Languages with experimental support: Bash, C/C++, Clojure, Dart, Dockerfile, Elixir, HTML, Julia, Jsonnet, Lisp, Lua, OCaml, R, Scheme, Solidity, Swift, YAML, XML, and generics (like ERB and Jinja)

2. SonarQube

SonarQube is a security scanner written in Java. The open-source community edition supports more than a dozen programming languages. 

  • Languages supported: Azure Resource Manager, AWS CloudFormation, C#, CSS, Docker, Flex, Go, HTML, Java, JavaScript/TypeScript, Kotlin, Kubernetes, PHP, Python, Ruby, Scala, Terraform, VB.NET, and XML 

More languages are supported in the paid version.

3. PMD

PMD calls itself an extensible source code analyzer. It uses JavaCC and ANTLR and supports writing queries in Java or XPath.

  • Languages supported: Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PL/SQL, Apache Velocity, HTML, XML/XSL, and Scala

4. Bearer

Bearer is a developer-friendly SAST tool that scans your code in the command line. With rules based on the OWASP Top 10 security risks and common privacy risks, Bearer allows you to filter vulnerabilities by priority. This flexibility means you can start fixing risks for sensitive data immediately before moving to less crucial problems later.

  • Languages supported: JavaScript/TypeScript, Ruby, Java, PHP, Go, and Python

5. Graudit

Graudit is a grep-based security scanner. It’s a rather basic tool but doesn’t require much technical know-how to get started. A huge benefit of Graudit is its extensive list of supported programming languages. 

  • Languages supported: ActionScript, ASP, C, COBOL, .NET, Eiffel, EXEC, Fruit, Go, Java, JavaScript/TypeScript, Nim, Perl, PHP, Python, Ruby, Scala, SPSQL, SQL, and more

6. Horusec

Horusec is a static code analysis tool that comes in multiple variants. You can run it as a CLI while coding or use an IDE plugin to get results without switching tools. It’s also available via a Docker image, offering a handy vulnerability management web UI.

  • Languages supported: C#, Java, Kotlin, Python, Ruby, Go, Terraform, Javascript/Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, and NGINX

7. Scan

Scan is a SAST scanning tool that focuses on ease of use. It’s preconfigured, so you don’t have to learn about its intricacies before getting your first report. 

  • Languages supported: Ansible, Apex, ARM, AWS, Bash, BOM, CredScan, dep-scan, Dockerfile, Go, Groovy, Java, JSP, JSON, Kotlin, Scala, Kubernetes, NodeJS, PHP, PL/SQL, Python, Ruby, Rust, Serverless, Terraform, Visualforce, Apache Velocity, and YAML

8. Betterscan

The community edition of Betterscan is open source and free to use. It’s a security tool orchestrator, meaning it uses many different tools to ensure the safety of your code, including SAST and SCA and also secrets scanning. Since Betterscan essentially wraps many other tools, it supports many languages. 

  • Languages supported: PHP, Java, Scala, Python, Perl, Ruby, .NET, C/C++, Swift, Kotlin, Apex, Javascript/Typescript, Go, Solidity, Docker, Kubernetes, and Terraform

9. Trivy

Trivy is a code scanner for infrastructure as code (IaC) definitions. Additionally, Trivy scans filesystems and images for issues.

  • Languages supported: AWS, Terraform, Kubernetes, and more

10. automated-security-helper for AWS

The automated-security-helper is a security tool orchestrator for AWS deployments. It scans different types of code files, including:

  • IaC definition languages, like CloudFormation templates, Terraform, and Dockerfiles

  • Access control definitions, like IAM policies

  • General programming languages via integrations with different scanners

Language-specific code security tools

Next, let’s review language-specific tools. In this category, each tool covers only one programming language. Since these tools are written in the same programming language they scan, you can easily extend them and fix bugs when necessary.

JavaScript scanners

Let’s start with JavaScript-specific tools.

1. nodejsscan

nodejsscan is probably the most popular SAST scanner for NodeJS applications. It runs in a Docker container and comes with various visualizations for the vulnerabilities it finds, making integration with a CI/CD pipeline easy. 

2. npm-audit

npm-audit is the staple security tool for NodeJS applications. As part of the npm package manager CLI, every NodeJS installation includes it out of the box. npm-audit automatically notifies you about security issues when you install an npm package. 

3. yarn npm audit

Yarn is an alternative CLI for npm packages. Until version 2.0.0, its audit command was called "yarn audit." It was renamed "yarn npm audit" to clarify that Yarn uses the same audit service as npm for its security checks.

Python scanners

Let’s explore Python-specific tools next.

1. Bandit

Bandit is one of the go-to security scanners for Python applications. It was developed by the Python Code Quality Authority (PyCQA), which focuses on Python code security. Bandit uses an AST scanner, allowing different plugins to enhance the spectrum of issues it can find.

2. Pyre 

Meta’s Pyre is the next big scanner for Python, and its focus is on scanning performance. Pyre analyzes code incrementally, giving feedback directly when encountering a problem, so you don’t have to wait until the end.

3. Safety CLI

Safety CLI is another security scanner for Python. Because it uses the Python vulnerability database Safety DB, it’s available only for non-commercial projects. Safety CLI suggests actionable remediations for all issues it finds.

Java scanners

Now let’s turn our attention to two Java scanners.

1. Spot Bugs

Since FindBugs, a popular code scanner, was discontinued, the still-supported fork SpotBugs is a viable alternative. Since it’s a general code quality tool, SpotBugs finds more than just security issues. You can use it as a CLI tool, within your CI/CD pipeline, or in IDEs like IntelliJ IDEA.

2. Find Security Bugs

Find Security Bugs is an add-on for SpotBugs built by OWASP to enhance its security scanning capabilities. It scans Java and Java-related languages, like Kotlin, Groovy, and Scala.

Go scanners

Now let’s look at the tools for Go.

1. golangci-lint

golangci-lint is a scanner orchestrator that runs a set of linters in parallel to ensure quick responses. It comes with a list of supported linters and allows you to write your own. 

2. gosec

The most popular security scanner for Go is gosec. It integrates with golangci-lint, so you can run it alongside other scanners it supports.

Ruby scanners

Ruby also has its own set of tools to keep your code secure.

1. Brakeman 

Brakeman is the quintessential tool for Ruby code security, used by big names like GitHub and New Relic. Brakeman conducts static analysis for security issues, and because it runs in the command line, Brakeman integrates well with CI/CD pipelines if needed. 

2. Dawn

Dawn is the alternative choice for Ruby. Dawn is more focused on web applications written in Sinatra, Padrino, and Ruby on Rails. 

PHP scanners

PHP is still one of the predominant languages for web development, so it should be no surprise that it has several tools to choose from.

1. PHP_CodeSniffer

PHP_CodeSniffer is the preeminent code scanner in the PHP ecosystem. With the phpcs-security-audit plugin, you can leverage it for security scans.

2. Psalm

Psalm is a static code analysis tool that mainly focuses on type-related bugs, but it also has a few security-related checks in place.

3. Enlightn

Enlightn is a security scanner for the Laravel web framework. It checks for performance, security, and reliability issues for your web application.

4. Security Code Scan for .NET

A popular open-source scanner for security vulnerabilities is Security Code Scan. It covers VB.NET and C#.

5. clj-holmes for Clojure

If Clojure is your thing, you’ll be happy to hear there are open-source scanners! clj-holmes is a CLI SAST scanner.

Introducing Wiz Code: Secure Your Cloud from Code to Runtime

We're thrilled to announce the general availability of Wiz Code, the next evolution in cloud-native application security!

Transform Your AppSec and DevSecOps with Wiz Code

Wiz Code extends our industry-leading cloud security platform to developer environments, providing comprehensive protection from the first line of code to runtime. Here's how Wiz Code empowers your organization:

  • Unified Security Across the SDLC: Seamlessly integrate security into every stage of development, from IDE to production.

  • Code-to-Cloud and Cloud-to-Code Mapping: Leverage our Security Graph to connect code repositories and CI/CD pipelines to cloud environments, enabling rapid issue prioritization and remediation.

  • One Policy Engine for All: Enforce consistent security controls across your entire development lifecycle with our expanded unified policy engine.

  • Accelerated Remediation: Fix cloud issues faster with deep integration into developer workflows and one-click fix suggestions.

  • Shift-Left Security: Get real-time security feedback, enriched with cloud insights, directly in your IDE and pull requests.

  • Extended Security Posture Management: Gain visibility into your CI/CD pipeline security, ensuring a robust security stance throughout your development process.

Secure your cloud from code to production

Learn why CISOs at the fastest growing companies choose Wiz to secure their software supply chain.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.