I'm looking for a Static Application Security Testing (SAST) tool and I can't afford the commercial products (eg. Checkmarx).
SonarQube is a great static code analysis tool but I notice that there is only a few rules of the "Vulnerabilities" type ("Vulnerabilities" equals "Security", am I right?).
I plan to extend some custom plugins including a lot of vulnerabilities rules (maybe hundreds of rules for C/C++, Java, and other languages that SonarQube supports).
Is that a practicable way to make SonarQube a "Checkmarx like" tool? Or is SonarQube suitable for static security testing? (I'm not sure if Sonar Scanner is suitable for scanning security problems)
Thanks a lot!
There is a separate SAST tool released by OWASP team named "OWASP SonarQube". This is developed using the sonarqube tool, but as a SAST tool.
This tool can be integrated with your project build same as the SonarQube integration. So if you are familiar with SonarQube, it will be a straightforward move.