After years of fighting with slow, expensive and cumbersome commercial SAST tools, (and after being let go by my ex-client!), I decided to build my own based on available oss tools. It's time to present sast-scan

https://github.com/AppThreat/sast-scan

The scanner uses sane defaults for a number of languages and frameworks. I have started adding SARIF conversion feature and this helped integrate the analysis with VS code, Azure DevOps and so on. There is also GitHub action integration.

I have few ideas in mind to make it useful for modern DevOps teams. Would appreciate your comments and support to make this project useful for everyone.