Maybe add SonarQube, its a pretty big hit in the Java industry and inspects for such items as Unused Code, Coding Convention, Performance Hotspot, Resource Leak, Multi-Threading, Null-Pointer Dereference, Error Handling, Injection Vulnerabilities everytime you check in. Free for Open source, one of my go to security checkers. sonarqube.org/
One thing to consider with SonarQube is that while it is a great and very mature solution, it works much better for quality related bugs, than for security bugs.
"To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. [..] But for security-related rules, the story is a little different. [..]
That's why security-related rules cast a wider net than you may be used to seeing.
The idea is that the rule will flag anything suspicious, and leave it to the human security auditor to cull the false positives and sent the real issues for remediation."
Maybe add SonarQube, its a pretty big hit in the Java industry and inspects for such items as Unused Code, Coding Convention, Performance Hotspot, Resource Leak, Multi-Threading, Null-Pointer Dereference, Error Handling, Injection Vulnerabilities everytime you check in. Free for Open source, one of my go to security checkers. sonarqube.org/
Good one, James. Already added it here.
One thing to consider with SonarQube is that while it is a great and very mature solution, it works much better for quality related bugs, than for security bugs.
To quote from their docs:
"To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. [..] But for security-related rules, the story is a little different. [..]
That's why security-related rules cast a wider net than you may be used to seeing.
The idea is that the rule will flag anything suspicious, and leave it to the human security auditor to cull the false positives and sent the real issues for remediation."
Thanks for adding it!
Yes whilst they aren't in the game of security their wide catch of flagging has caught some things in the past that as developers we have looked into.
Nice work on the listing I have starred it for future looks