SShortSingh.
Back to feed

How to Add SAST to Any App Using Free Open-Source Tools Beyond the Usual Names

0
·1 views

Most guides on Static Application Security Testing (SAST) default to paid or enterprise tools like SonarQube, Snyk, or Veracode, but free open-source alternatives exist for teams with budget, licensing, or environment constraints. The OWASP Source Code Analysis Tools page lists dozens of language-specific options, including Bandit for Python, Brakeman for Ruby, Gosec for Go, and Horusec for multiple languages. A developer tutorial demonstrates applying Bandit to a deliberately vulnerable Flask application containing five classic flaws — command injection, SQL injection, insecure deserialization, unsafe YAML loading, and a hardcoded secret with debug mode enabled. Bandit requires no account, server, or license key, runs as a CLI or library, and analyzes Python's AST to detect real logic vulnerabilities rather than relying on simple pattern matching. The same install-configure-scan-fail-track workflow can be integrated into a CI/CD pipeline via GitHub Actions and applies nearly identically across other OWASP-listed tools.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Regex Outperforms LLM Routers for AI Agent Context Gating, Study Finds

A July 2026 paper titled 'ContextSniper' introduced a token-efficient context management system for AI coding agents that filters irrelevant code before it reaches the model, cutting token usage by up to 51.5% on some agents. The system uses an intention-aware gate to decide the cheapest retrieval strategy for any given request, such as symbol lookup, semantic search, or graph traversal. Researchers testing how complex this gate needs to be compared three lightweight routing methods across 140 hand-labeled requests spanning seven intent categories. A simple 40-line regex heuristic achieved 94.3% accuracy and a macro-F1 of 0.945, outperforming TF-IDF centroid classification by roughly 45 points. The findings suggest that for agent context routing, a dedicated LLM call is unnecessary and a well-crafted regex can match or exceed heavier classifiers at a fraction of the cost.

0
ProgrammingDEV Community ·

A Practical Folder Structure Guide for Large Next.js App Router Projects

A developer has shared a folder architecture guide for large Next.js projects using the App Router, based on lessons learned from reorganising a client dashboard. The structure separates routes into the app/ directory, domain-specific business logic into a features/ folder, and reusable UI primitives into components/ui. A key principle called the '10-second findability rule' requires that any piece of code — such as a password reset email handler — can be located within ten seconds, or the structure is considered flawed. Common early mistakes highlighted include dumping 80-plus components into a single folder, growing utility files to over a thousand lines, and scattering Server Actions across random page files instead of colocating them in a dedicated actions.ts. The guide also recommends route groups for separating marketing and dashboard shells, TypeScript strict mode, and an ESLint-enforced import direction policy for teams larger than three developers.

0
ProgrammingDEV Community ·

Why Running Code Matters More Than Reviewing It: A Testing Lesson

A developer discovered a critical gap between code review verdicts and actual test evidence while working on a notification queue ordering change. Although a review had returned a 'pass-with-risk' result with a named reason, the requirement had never actually been executed, leaving the risk labelled but unverified. When the code was finally run, a real timing failure emerged that review alone could not have detected — the scheduler incorrectly prioritised one notification over another under a specific condition. The experience highlighted that a skipped test row looks identical to a passing one in a results matrix, making unverified requirements invisible unless checks are explicitly enforced. The developer concluded that test matrices should preserve records of both failures and fixes, since deleting resolved failures erases the only proof that a check was ever run.

0
ProgrammingDEV Community ·

The 'Placebo Bug': How Developers Intentionally Plant Flaws to Survive Toxic Reviews

Some experienced developers deliberately introduce minor, harmless errors into their code — such as a typo or misaligned button — so that overly critical seniors have an obvious flaw to flag, leaving the core architecture untouched. The practice, informally called the 'Placebo Bug,' mirrors a decades-old game design trick known as the 'Corporate Duck,' where a designer planted a ridiculous visual element to absorb a manager's compulsive need to request changes. While the hack can protect sound engineering work from unnecessary refactoring, it signals a deeper problem: a workplace culture driven by hierarchy and fault-finding rather than genuine mentorship. Under such pressure, junior developers increasingly turn to AI tools for quick fixes without fully understanding the generated code, which can introduce security vulnerabilities that surface only in production. The article argues that when senior developers prioritise asserting authority over nurturing talent, the long-term cost is fragile, insecure systems and stunted engineering growth.