I'm a huge fan of making good security tools available to all. Sadly we, as an industry, have somehow made it that if you want solid Static application security testing (SAST) tools, you have to pay a huge amount and that never sat right with me.

I've gone on about @r2cdev's Semgrep for a while now and watching the project mature has been amazing, but a recent sprint gave us something that I wasn't expecting: a security dashboard

What this means is that it's much easier to:

Manage rules across all projects and thus understand more about the quality of code being pushed, which is important I feel.

A few things that I appreciate (coming from testing and using many of the big players in this market who do charge loads)

1: It's easy to integrate into my CI/CD pipelines. So add to a repo, ensure project secrets are set and tokens are all good and bosh, you are up and running

2: I can define super-fast policies to scan my code. I don't need the kitchen sink thrown at a repo, I know my code and dependencies. I can use public rulesets or private ones

The community-driven rulesets are really good and I'm noticing that when a bug is found, the speed at which someone writes a rule for it is far faster than commercial tools https://semgrep.dev/rulesets 

What this now means is a SAST scanner that fits into my pipeline and doesn't take hours. Ask any dev what they hate about SAST tools and they will probably tell you the clunky integration and speed as a huge issue (besides false positives)

I guess what I'm trying to say is that this helps so many bring proper security to their codebases without costing a fortune and for that, I respect the hell out of the Semgrep team as security should be available for all and not only those who can afford it.

Give it a whirl over at https://semgrep.dev/