Using Code Sight and Rapid Scan Static, DevSecOps teams can identify vulnerabilities and fixes as they code without leaving the IDE.
Imagine you are developing an application – no matter if it’s a web, mobile, or desktop app – and your IDE informs you of security vulnerabilities as you code. The release of Code Sight 2022.9.0 for VS Code and IntelliJ makes that a reality. With Synopsys’ industry-leading static application security testing (SAST) engine powering Code Sight’s Rapid Scan Static, there is no configuration or tuning. It’s actual sophisticated taint flow and not just lint. Fixes for the vulnerabilities are also confirmed in real-time. If you are on a security team or the security champion, you will appreciate the fix confirmed without you having to chase it down in the next security review.
Code Sight analyzes your projects in real-time, as you write code, so that you can see new vulnerabilities and fixes as you type. The lightweight scan engine minimizes resource consumption and maximizes speed so you can remediate quickly before pushing vulnerable code downstream. You can access detailed risk information and remediation advice alongside the source code in the IDE, helping you maintain context for the issue and learn more secure development techniques.
One of the most impactful examples of this are the taint flow checks, which clearly list events that describe the full flow of user-controlled data so that you can understand the issue and implement the right fix the first time. With the Code Sight IDE plugin, finding and fixing security vulnerabilities without breaking your workflows has never been this fast.
We developed Code Sight’s SAST engine for speed from ground up. It builds upon the effective, resilient frameworks and APIs that have benefitted Synopsys Coverity for years.
Rapid Scan Static currently has a set of 24 taint flow checkers for Java that will help you find vulnerabilities such as SQL Injection, Path Traversal, and Command Injection. The team is currently hard at work adding more checkers and bringing taint flow analysis to other languages that Rapid Scan Static supports. In terms of modeling, the current engine focuses on the dominant framework for Java web application development, Spring. Of course, we plan to evolve our support for Spring and expand to other frameworks.
If you are excited to try out this new feature, you can easily install Code Sight now and start securing code and open source within minutes. Download Synopsys Code Sight from the VS Code Marketplace or from the JetBrains Marketplace (IntelliJ) and jump in with a free trial, or import your team’s license if you are already a Synopsys Coverity or Synopsys Black Duck user. Avoid pushing vulnerable code into code review, or even onto your main product branch. Instead, find and fix vulnerabilities as they are introduced, right there in the IDE, with Synopsys Code Sight.
Rody Kersten is a software engineering manager at Synopsys. With his team, he works on the Sigma static analysis engine, also known as Rapid Scan Static. He has received an M.Sc. (2010) and Ph.D. (2015) in Computer Science from Radboud University Nijmegen in The Netherlands. He is a former Postdoctoral Researcher at Carnegie Mellon University, and a former Assistant Professor at Open University of the Netherlands. His research interests include static analysis, formal verification, symbolic execution, and fuzz testing, with a focus on software resource consumption (time, memory, energy). As a software engineer, he has contributed to a variety of software analysis applications, including Synopsys' industry-leading Static Application Security Testing product Coverity.