Welcome to the 6th episode of our Security Culture Campaign! On today’s show Matt Konda talks Static Analysis.
There are a lot of static analysis tools out there. The simplest might be eslint , for which there are even security rulesets - the docs for which have some handy illustrations for the types of things these tools can find.
We recommend:
- Using a linter locally in your code editor if applicable - but only if applicable
- Using a static analysis tool in your CI/CD pipeline - if it finds useful things
- Assuming you may need to spend time tuning the tool to get the results you want
- Start with free tools and build the process and habit, then consider using commercial tools
- Augment static analysis with code review
- Consider an assisted code review strategy
Read more on the blog.
Click here for the associated YouTube video.
The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.
Click here to request a topic.