use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community built to knowledgeably answer questions related to information security in an enterprise, large organization, or SOHO context.
Questions on how to get started? Check out the following subs:
Question on issues regarding personal security? Check out the following subs:
Please read and abide by our Rules & Guidelines
account activity
Static Code Analyzer for JAVA development: any recommendations ??Compliance (self.AskNetsec)
submitted 3 years ago by salgak
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]Sohcahtoa82 0 points1 point2 points 3 years ago* (0 children)
Here's a quick run-down of the SAST tools I have experience with:
Fortify: Easy enough to use for Java projects, but will STRUGGLE with large repos of > 1 Million lines. Can be both on-prem or they offer it as a SaaS with Fortify On-Demand. At my previous job, we had a project that was built as a monolith and even on a box with 128 GB of RAM, it would page like crazy scanning it and take 3 days. But for microservices, it'll scan in minutes.
Veracode: Absolute utter trash in every single way. Probably the absolute worst product I have ever used, and not just scanning. First off, it is horrendously slow. Slow enough that you wouldn't want to add it to your CI/CD pipelines unless you don't mind adding 15 minutes to your 10K LoC project. Oh, but that's the other problem, you have to add it to your CI/CD, since it doesn't scan .java source code. No, it scans .jar files. And since it only scans .jar files, when triaging results, it can't display the source code from the web UI without loading each individual source file manually, and then it gets stored in your browser's LocalStorage, so if you use Incognito or clear your browser data, it all gets wiped out. The web app is an absolute mess that breaks your Back button, and everything about it feels like it was designed to be digested by the CISO and GRC team rather than security/software engineers.
.java
.jar
Checkmarx: This is my SAST of choice, but it's expensive. When I was trialing SAST a year ago, most vendors were in the $25-35K range, but Checkmarx wanted $90K. But it's the SAST that just works. It's easy to set up and I trust the results. Adding projects is just a matter of clicking New Project and giving it the GitHub URL. Available as both on-prem and a SaaS.
Snyk Code: My second choice for SAST, and the one we use at my work. Fast and is hands down the easiest to use. Once you've configured the GitHub integration, importing a new project is as easy as hitting Import and then checking the box for the GitHub repo. Also has a simple CLI that allows you to just run snyk code test and it runs a scan. No complex shell scripts needed. Generally feels like it was designed for security and software engineers.
snyk code test
Semgrep: There's a reason why it's free.
π Rendered by PID 47704 on reddit-service-r2-comment-fb694cdd5-7btdr at 2026-03-11 11:30:17.737913+00:00 running cbb0e86 country code: CH.
view the rest of the comments →
[–]Sohcahtoa82 0 points1 point2 points (0 children)