SAST在安全领域极其重要,不仅是解决漏洞的有效利器,更是基础安全之上发现漏洞的有效方法。尽管SAST有时弊病百出,比如严重依赖规则、误报漏报率太高、特定漏洞无法检测等问题。但SAST的发展从根本上推动了代码安全和安全开发的发展,弥补了DAST的不足,促进了IAST的落地,见证了DevSecOps的辉煌!作者:0e0w
本项目创建于2022年1月22日,最近的一次更新时间为2023年7月31日。项目会持续更新,直到海枯石烂!
一、书籍资源
- 《Web代码安全漏洞深度剖析》@曹玉杰等
- 《Java代码审计-入门篇》@陈俊杰等
- 《Java代码审计实战》@高昌盛等
- 《Java安全编码标准》@计文柯译
- 《Java安全性编程指南》@庞南
- 《Java安全》@奥克斯
- 《Java编码指南》@刘先宁
- 《Java-Web-Security》@Dominik Schadow
- 《代码审计-企业级Web代码安全架构》@尹毅
- 《58集团白盒代码审计系统建设实践》@58安全
二、学术论文
三、视频资源
四、优秀资源
- https://en.wikipedia.org/wiki/Static_program_analysis
- https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
五、英文资源
六、其他资源
- https://xz.aliyun.com/t/10216
- https://xz.aliyun.com/t/9335
- https://xz.aliyun.com/t/9429
- https://xz.aliyun.com/t/10756
- https://xz.aliyun.com/t/9531
- https://github.com/trailofbits/pip-audit
- https://github.com/rishisoni90/SECURE-PROGRAMMING-UTA
- https://github.com/RangerNJU/Static-Program-Analysis-Book
- https://github.com/lcatro/Source-and-Fuzzing
- https://github.com/pen4uin/static-analysis
- https://github.com/pen4uin/dotnet-security
- https://github.com/pen4uin/python-security
- https://github.com/pen4uin/golang-security
- https://github.com/modernizing/modernization
- https://github.com/jiangsir404/Audit-Learning
- https://github.com/twosmi1e/Static-Analysis-and-Automated-Code-Audit
- https://github.com/SummerSec/Static-Analysis
- https://www.freebuf.com/sectool/240588.html
- https://paper.seebug.org/1339
- https://evilpan.com/2022/01/22/code-audit
- https://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools
- https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
- https://owasp.org/www-community/Source_Code_Analysis_Tools
- https://dzone.com/articles/top-7-static-code-analysis-tools
- https://www.incredibuild.cn/blog/top-9-c-static-code-analysis-tools
- https://github.com/pen4uin/code-review-lab
- 阿里味儿的代码审计随想
- https://xz.aliyun.com/t/11492
- https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers
- https://www.anquanke.com/post/id/275186
- https://github.com/topics/SAST
- https://github.com/search?q=SAST
- https://github.com/analysis-tools-dev/static-analysis
一、优秀工具
- https://github.com/ASTTeam/Fortify | 优秀的代码审计工具
- https://github.com/ASTTeam/CodeQL | 基于语义的代码扫描工具 | 833
- https://github.com/ASTTeam/Semgrep
- https://github.com/ASTTeam/SonarQube
- https://github.com/ASTTeam/Coverity
- https://github.com/facebook/infer
- https://github.com/joernio/joern
- https://github.com/accurics/terrascan
- https://github.com/SonarSource/sonarqube
- https://github.com/MobSF/mobsfscan
- https://github.com/Tencent/CodeAnalysis
- https://github.com/securego/gosec
- https://github.com/CoolerVoid/codecat
- http://svf-tools.github.io/SVF
- https://github.com/4ra1n/code-inspector
二、开源工具
- https://github.com/FeeiCN/Cobra | 源代码安全审计 | 2.8k
- https://github.com/LoRexxar/Kunlun-M | 开源的静态白盒扫描工具 | 1.4k
- https://github.com/zsdlove/Hades | Java静态代码脆弱性检测系统 | 400
- https://github.com/ZupIT/horusec | 一条命令识别项目中的漏洞 | 661
- https://github.com/insidersec/insider | 专注于覆盖OWASP漏洞扫描 | 341
- https://github.com/ajinabraham/njsscan | Node.js代码扫描工具 | 232
- https://github.com/XianYanTechnology/RocB | Java代码审计IDEA插件SAST | 118
- https://github.com/SourceCode-AI/aura
- https://github.com/wahyuhadi/rinjani
- https://github.com/checkmarx-ts/CxAnalytix
- https://github.com/secdec/astam-correlator
- https://github.com/MagpieBridge/CryptoAnalysis-Android
- https://github.com/synopsys-sig/intelligent-security-scan
- https://github.com/MetLife/VeracodeCommunitySAST
- https://github.com/clj-holmes/clj-holmes
- https://github.com/b0n1t0/gSAST
- https://github.com/portilha/Checkmarx.API
- https://github.com/AppThreat/sast-scan-action
- https://github.com/ShiftLeftSecurity/sast-scan
- https://github.com/AppThreat/sast-scan
- https://github.com/mpast/mobileAudit
- https://github.com/ajinabraham/nodejsscan
- https://github.com/r0hi7/DockerENT
- https://github.com/ajinabraham/libsast
- https://github.com/clj-holmes/clj-holmes
- https://github.com/CloudDefenseAI/cd
- https://github.com/oversecured/oversecured-bitrise-step
- https://github.com/ivan-sincek/go-actions
- https://github.com/github/codeql-cli-binaries
- https://github.com/facebookarchive/pfff
- https://github.com/Osthanes/appscan_static_analyzer
- https://github.com/clj-holmes/clj-holmes
- https://github.com/dvelopp/SpringAngularApp
- https://github.com/jonrau1/CodeArtifactVulnScanner
- https://github.com/azharanees/OWASP-iGNITA
- https://github.com/joyliu-q/SASTAll
- https://github.com/IvanKuchin/SAST
- https://github.com/Hack23/talks
- https://github.com/rajasoun/cookiecutter-shift-left-security
- https://github.com/vwt-digital/cloudbuilder-sast
- https://github.com/adavarski/docker-bandit
- https://github.com/aramrami/iGNITA
- https://github.com/Scanner-One/Scanner-One
- https://github.com/SummerSec/SPATool
- https://github.com/checkstyle/checkstyle
- https://github.com/marcinguy/scanmycode-ce
- https://github.com/AppThreat/dep-scan
- https://github.com/murphysecurity/murphysec
- https://github.com/droidsec-cn/Alien-Intelligent-Security-Assessment-for-Android
- https://github.com/j5s/XVulnFinder
- https://github.com/magnologan/gha-devsecops
- https://github.com/we45/ThreatPlaybook
- https://github.com/SAST-skill-docers/sast-skill-docs
- https://github.com/NodeSecure/js-x-ray
- https://github.com/cxai/Checkmarx-PowerTools
- https://github.com/Er1cccc/ACAF
- https://github.com/zricethezav/gitleaks
- https://github.com/4ra1n/swing-rce-inspector
- https://github.com/analysis-tools-dev/static-analysis
- https://github.com/Bearer/bearer
三、商业产品
- 腾讯Xcheck
- 奇安信代码卫士
- https://www.woocoom.com
- https://www.microfocus.com
- https://checkstyle.sourceforge.io
本章节介绍SAST的实现原理设计思想等内容。
一、基于正则
二、基于AST
三、基于IR/CFG
四、基于QL
五、基于......?
-
如何开发一款优秀的SAST工具产品?
-
一款优秀的SAST产品应该具备什么样的特性?