Agreed that for static code analysis tools, key features include:
- The ease of setting up and running static code analysis
- Integration into CI/CD systems
- Differential analysis for speed and efficiency
- The ability to support huge codebases
- Support for all coding languages that we use
- No need to pre-process code prior to scanning
Importance of the following:
- Have a consistent pricing model from your Static Application Security Testing (SAST) tool vendor: very Important
- Have a SAST tool that can be executed via flexible deployment options (Desktop/IDE/CI/Cloud/Containers): important
- Have customizable quality reports and analysis: important
- Get accurate and clean of noise reports: important
Said that audit and/or stakeholder-ready scan results help to speed up release cycles and time to market faster.
They are not comfortable with sharing and uploading their source code to an SAST tool vendor cloud.
Security and safety coding standards coverage most important for them:
Enterprise console and reporting framework capabilities they value the most:
- Control access permissions and approval workflows
- Prioritize defects based on severity, location, and lifecycle