Overview

Static Application Security Testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities.

At Sourcegraph, we use a combination of tools within the team to cover different types of vulnerability. We use:

• Checkov and OPA policies to scan our Terraform infrastructure.
• Trivy to scan containers for issues with dependencies.
• Semgrep OSS to scan our code in sourcegraph/sourcegraph , sourcegraph/jetbrains and sourcegraph/cody to identify vulnerabilities & bad patterns
• Github push protection on all public repositories for secret scanning.