In June 2021, Synopsys officially released Rapid Scan Static, a feature of Code Sight™ SE and Coverity® by Synopsys and powered by the Sigma scan engine. Rapid Scan Static reduces the noise and friction for developers by providing fast results that enable them to take action earlier in the software development life cycle (SDLC). In addition to speed, it brings ease-of-use, rapid language/framework upkeep (24 releases thus far), and integrations.
Rapid Scan Static provides near real-time results inside the IDE as well as rapid responses to pull and merge requests. In cloud-native deployments where such applications are often containerized with infrastructure-as-code (IaC), Rapid Scan Static’s small footprint allows the scanner to be dropped in easily.
In the feature’s first year, it has grown tremendously and already packs a big punch in IaC and API safety: As of version 2022.6.0, there are 1,343 checkers. This blog post looks back at the year that has been and offers a glimpse into the future of what Rapid Scan Static could do.
Vision for extremely fast and lightweight SAST
The same team that built the Coverity engine designed Rapid Scan Static from the ground up to be fast. This was done by leveraging decades of experience parsing source code, generating abstract representations, computing callgraphs, and crafting checkers with extreme parallelism. The scanner binary is a mere 40MB today because being fast and lightweight are its key pillars. Figure 1 shows a scan for the popular Hadoop codebase; it took 20 seconds to scan roughly 1,200 Java and JavaScript source files.
Ease of use
From its inception, the Rapid Scan Static team prioritized ease of use. Minimizing friction at all points of deployment and use is a crucial part of our shift-left philosophy when using static analysis to write and deploy secure code.
First, Rapid Scan Static is a lightweight analysis tool with a small binary and no complicated configuration. No build or compiler-specific configuration is needed to properly capture source files. The user can just point it at the source directory or repository. Similarly, it runs out-of-the-box with a sensible set of default checkers, which means that no analysis configuration is needed to obtain useful results right away.
Second, Rapid Scan Static can be deployed in different ways depending on customer needs.
- Run it as a standalone binary (in containers or build agents) with results pushed into Coverity Connect for viewing and triaging.
- Use it inside VS Code via Code Sight™ to provide more immediate feedback to developers.
- Drop it into CI/CD pipelines via GitHub, GitLab, and Jenkins plugins to gate merge requests.
Rapid Scan Static is also integrated into Coverity, so Coverity customers can obtain findings automatically, starting with Coverity 2021.9. Coverity customers can also upgrade the bundled Sigma binary without making any changes to their larger Coverity installation.
Figure 2 shows Code Sight in VS Code. In this example, the root volume in this AWS WorkSpace is not encrypted. The popup gives precise information about the vulnerability as well as remediation advice. Furthermore, a user can click the Autofix action in the gutter to automatically fix this vulnerability.
Finally, Rapid Scan Static is blazingly fast and accurate. It can analyze large benchmarks in seconds while reporting very few incorrect defects. This saves the user time both in obtaining results and in triaging them because they don’t have to waste time dismissing false positives.
Infrastructure-as-Code and API safety
Rapid Scan Static started as a tool to identify issues in IaC. However, it quickly expanded its coverage to include API safety checks for insecure connections, cryptographic issues, weak authentication/authorization settings, sensitive information leakage, and more.
The engine initially supported the most popular IaC technologies like Terraform and CloudFormation, but it has expanded to include Ansible, ARM templates, Kubernetes with Helm charts, and Dockerfiles. Today, Rapid Scan Static provides a wide range of checkers for different types of IaC technologies, covering configurations for major cloud providers such as AWS, Azure, and GCP.
In addition to IaC templates, Rapid Scan Static also supports Java and JavaScript SDKs for cloud providers and can identify configuration issues if the cloud resources are created using a programming language. Thus, Rapid Scan Static ensures that your infrastructure is secure regardless of how it is created, declaratively or imperatively.
In today’s cloud-native applications, there are often JavaScript and source code files adjacent to the IaC configurations within the same container. Imagine a banking app in which some of the UI on the phone is done in HTML and JavaScript, served from within the cloud while the app receives JavaScript code to make a React Native call. Under such a scenario, the more complete solution is to scan the IaC as well as all the source code that makes up the overall system. Rapid Scan Static guards against such unsafe use of React from an API safety perspective.
Synopsys Quality Award
Every year, Synopsys honors an internal team with a Quality Award that recognizes innovation in the development process that led to improved product quality. The Rapid Scan Static team won this award in 2021 for strongly taking up the shift-left philosophy (shape your development process such that you find bugs and vulnerabilities as early as possible), for ensuring that the engine remains within its strict nonfunctional requirements, and for optimizing the release process.
The measures taken indeed lead to a high-quality engine. Very few bugs in Rapid Scan Static have been reported by customers in its first year, even though the engine has been exposed to the majority of Coverity customers. The 24 bi-weekly releases so far have shipped like clockwork, and the engine is still lightning fast and lightweight.
Rapid Scan Static's rapid release cycle allows you to address bugs and security vulnerabilities quickly and with minimal disruption. It also allows you to react to changes in the SAST landscape.
Trojan Source
In November 2021, the Trojan Source vulnerability was published. This vulnerability allows malicious actors to sneak exploitable code into applications and libraries by making the code look benign in editors and web applications using special Unicode characters.
To help our customers prevent Trojan Source from sneaking into their codebases, we released a special checker with the next Rapid Scan Static version in just two weeks. An enterprise customer, while scanning the Linux distributions used by its flagship products, was able to find the Trojan Source vulnerability in less than a minute.
Swift 5.6
When Swift 5.6 was released in March 2022, users of Rapid Scan Static did not need to upgrade to keep their scans working, because Rapid Scan Static can tolerate new language grammar while allowing existing checkers to continue to function. We also add new checkers as warranted to provide additional coverage. In the event of breakages from new language grammar, we provide support through our rapid release cadence. In short, we minimize the cost of programming language updates for our customers.
Conclusion
Rapid Scan Static has another feature and capability-packed year ahead. On the horizon is the Sigma engine being leveraged in Black Duck® Binary Analysis, and a broad expansion of secrets and hard-coded credentials detection.
In the long run, our goal is to add coverage for many languages, frameworks, and technologies for which a fast SAST engine can play an important role in securing software. This includes use within the IDE, pull and merge requests, software composition analysis, and cloud-native deployments in CI/CD pipelines.
If you are a Coverity customer, you can experience Rapid Scan Static by filtering defects within Connect™ for checkers with the SIGMA keyword prefix. You can also download the Sigma binary via the Synopsys community site. Drop it inside containers or scan any source file or folder to experience the speed. Your license also allows you to use Code Sight SE within VS Code, which enables you to see near real-time results as you code.
For readers who are new to Synopsys SAST products, Code Sight SE can be experienced as a standalone through the VS Code extensions marketplace.
Continue Reading
