from 01.01.2023 to 01.01.2024
Saint Petersburg, St. Petersburg, Russian Federation
In the realm of modern software development, Continuous Integration and Continuous Deployment (CI/CD) pipelines serve as integral mechanisms for maintaining code quality, security, and efficiency. Static code analysis tools play a pivotal role within these pipelines by automating the detection of potential vulnerabilities and enforcing coding standards. This comparative study evaluates and contrasts leading static code analysis tools utilized in CI/CD pipelines, focusing on their capabilities in terms of default and custom policies, integration with development environments, output formats, and customization options. By analyzing and comparing tools such as KICS, tfsec, Trivy, Terrascan, Checkov, and Semgrep OSS, this study aims to provide insights into their strengths and limitations, aiding practitioners in making informed decisions to enhance software quality and security throughout the development lifecycle. This research underscores the importance of selecting appropriate tools based on project-specific requirements, emphasizing that proactive security measures within CI/CD workflows significantly bolster infrastructure safety and compliance.
DevSecOps, CI/CD Pipelines, Infrastructure as Code, Static Code Analysis, Security Scanning, Open-Source Tools, Vulnerability Detection, SAST, Pipelines security
1. Jaspher Kathrine G. COMPARATIVE ANALYSIS OF SUBDOMAIN ENUMERATION TOOLS AND STATIC CODE ANALYSIS // JOURNAL OF MECHANICS OF CONTINUA AND MATHEMATICAL SCIENCES. 2020. Vol. 15, № 6.
2. KICS - Keeping Infrastructure as Code Secure [Electronic resource].
3. KICS - Open Source Infrastructure as Code | Checkmarx [Electronic resource]. URL: https://checkmarx.com/product/opensource/kics-open-source-infrastructure-as-code-project/ (accessed: 26.06.2024).
4. Aqua Security. A static analysis security scanner for your Terraform code [Electronic resource] // https://aquasecurity.github.io/tfsec/v1.28.1/.
5. Emanuelsson P., Nilsson U. A Comparative Study of Industrial Static Analysis Tools // Electron Notes Theor Comput Sci. 2008. Vol. 217. P. 5–21.
6. Zampetti F. et al. How Open Source Projects Use Static Code Analysis Tools in Continuous Integration Pipelines // 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE, 2017. P. 334–344.
7. Fatima A., Bibi S., Hanif R. Comparative study on static code analysis tools for C/C++ // 2018 15th International Bhurban Conference on Applied Sciences and Technology (IBCAST). IEEE, 2018. P. 465–469.
8. Novak J., Krajnc A., Žontar R. Taxonomy of static code analysis tools // The 33rd International Convention MIPRO. 2010. P. 418–422.
9. Kaur A., Nayyar R. A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C/C++ and JAVA Source Code // Procedia Comput Sci. 2020. Vol. 171. P. 2023–2029.
