Static Code Analysis: Some Tools
Security for applications is extremely important. While there are various considerations for securing the application, in this post, we will be concentrating on the code vulnerability scanning.
In a traditional approach, security audits were carried out in the final stages of development, with dedicated security audit teams and manual checks. It takes a long time to complete the security scans and audits and when vulnerabilities are identified at these final stages even longer to fix it.
The best way to do security audits in the DevOps world is to shift left and make the audits part of the build process, so the team is instantly aware of the application's security posture and the vulnerabilities are mitigated much earlier in the development cycle.
The first step in the journey to better code quality is to use source code analyzers such as FxCopAnalyzers that analyze the code for code style, quality, and maintainability, etc and provide metrics.
The Microsoft Learning path, Build applications with Azure DevOps is a good starting point to anyone who wants to learn setting up CICD for various application frameworks with quality and security best practices. Here we are using mslearn-tailspin-spacegame-web repository for running tests and configure build pipelines.
Here is an example of code quality metrics that was available in Visual Studio while running code analysis locally.
You can check the properties of each diagnostic run by the analyser from solution explorer. More information on installing and configuring code anlyzers can be found here. After running the code analysis we can see the same in visual studio error list.
When it comes to continuous analysis of code quality, reliability, and security, automatically detecting bugs, vulnerabilities, code smells and other issues tools like SonarCloud, Resharper and WhiteSource can be utilised.
The Azure DevOps Labs blog post describes the steps used to do static code analysis with SonarCloud. Apart from the Azure DevOps blogpost, the Microsoft Learn Course Scan code for vulnerabilities in Azure Pipelines provides details of using SonarCloud locally and part of Azure DevOps pipeline.
Here is a sample of mslearn-tailspin-spacegame-web application scan result available in SonarCloud.
Another tool used for Code Analysis is Resharper. To take advantage of the complete ReSharper toolset, it must be used in the code development phase, with the ReSharper extension installed on each developer’s Visual Studio IDE.
To enable code quality checks from Continuous Integration pipelines, ReSharper provides a free command-line version of ReSharper. ReSharper Command Line Tools is a set of free standalone tools that execute hundreds of ReSharper code inspections outside of Visual Studio and additionally find code duplicates.
WhiteSource is another comprehensive tool that deals with security and licensing of open source components in your codebase. The WhiteSource has a Free marketing tool (WhiteSource Bolt) available to use with Azure DevOps pipeline and a paid complete solution with real-time alerting, policy-based approvals, custom reports for auditing, etc. A complete comparison can be found here.
Microsoft Security Code Analysis is Microsoft's offer for Static Code Analysis. This analysis is recommended by the Secure Development Lifecycle (SDL) experts at Microsoft.MSCA provides a toolset that includes both Static Application Security Testing (SAST) including Credential Scanner and Roslyn Analyzers and Dynamic Application Security Testing (DAST), specifically integration with Microsoft Security Risk Detection Fuzzing. It makes it easy to run these automatically as part of your build and release pipelines in Azure DevOps.
It includes the following tools
- Anti-Malware Scanner: Anti-Malware Scanner is run on a build agent that has Windows Defender already installed.
- Binskim: An open-source tool Portable Executable (PE) light-weight scanner that validates compiler/linker settings and other security-relevant binary characteristics.
- Credential Scanner: A proprietary static analysis tool that detects credentials, secrets, certificates, and other sensitive content in your source code and your build output.
- Microsoft Security Risk Detection: Security Risk Detection is Microsoft’s unique cloud-based fuzz testing service for identifying exploitable security bugs in software. This service requires a separate onboarding process.
- Roslyn Analyzers: Microsoft’s compiler-integrated static analysis tool for analyzing managed code (C# and VB).
- TSLint: An open-source extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. and can be customized with your own lint rules, configurations, and formatters.
Thank you for the feedback :)
ReplyDelete