Static Code Scanning
April 9, 2020 ยท View on GitHub
Static code scanning or analysis functionality is often integrated with techniques such as unit testing, peer code review, runtime error detection and requirements traceability.
Good Starting Places
- chapter 13 and 14 of the Google Building Secure and Reliable Systems https://static.googleusercontent.com/media/landing.google.com/en//sre/static/pdf/SRS.pdf
- the 7 pernicious kingdoms on taxonomy of security flaws https://cwe.mitre.org/documents/sources/SevenPerniciousKingdoms.pdf
- 2017 NIST publication Improving Software Assurance through Static Analysis Tool Expositions https://www.nist.gov/publications/improving-software-assurance-through-static-analysis-tool-expositions
Catalogs and Lists of Tools
- NIST catalog of static analysis tools https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
- GitHub list of static analysis tools organized by language https://github.com/analysis-tools-dev/static-analysis
- Wikipedia List of Static analysis tools https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis