They are not comfortable with sharing and uploading their source code to an SAST tool vendor cloud.
- Security and safety coding standards coverage most important for them:
Importance of the following:
- Have a consistent pricing model from your Static Application Security Testing (SAST) tool vendor: very Important
- Have a SAST tool that can be executed via flexible deployment options (Desktop/IDE/CI/Cloud/Containers): important
- Have customizable quality reports and analysis: very Important
- Get accurate and clean of noise reports: very Important
Said that audit and/or stakeholder-ready scan results help to speed up release cycles and time to market faster.
Enterprise console and reporting framework capabilities they value the most:
- Defining global or project-specific QA and security objectives and rule configurations
- Compliance and security reports
- Prioritize defects based on severity, location, and lifecycle
Level of agreement on key features for static code analysis tools:
- The ease of setting up and running static code analysis: strongly agree
- Integration into CI/CD systems: strongly agree
- Differential analysis for speed and efficiency: agree
- The ability to support huge codebases: agree
- Support for all coding languages that we use: strongly agree
- No need to pre-process code prior to scanning: strongly agree