DOMAIN:SECURITY:TOOLS¶
OWNER: julian
UPDATED: 2026-03-18
SAST (Static Analysis)¶
TOOL:SEMGREP [PRIMARY]¶
LANGUAGES: JS/TS, Python, Go, Java, Ruby, PHP
RULESETS: p/owasp-top-ten, p/security-audit, p/typescript
STRENGTH: custom YAML rules — write GE-specific patterns
LIMITATION: no taint analysis in free tier (Semgrep Pro has it)
INTEGRATION: CLI, GitHub Actions, VS Code extension
USE_FOR: custom security rules, coding standards enforcement, GDPR patterns (flag PII logging)
RUN: semgrep --config p/owasp-top-ten --config p/security-audit .
TOOL:ESLINT_SECURITY¶
PACKAGES: eslint-plugin-security, eslint-plugin-no-unsanitized, @microsoft/eslint-plugin-sdl
USE_FOR: inline developer feedback, pre-commit hooks
SCOPE: JS/TS only
TOOL:SONARQUBE¶
STRENGTH: security hotspots with taint analysis, quality gates
LIMITATION: Community Edition lacks full OWASP/SANS mapping
USE_FOR: code quality + security combined dashboard
TOOL:CODEQL¶
STRENGTH: deep semantic analysis, data flow tracking
LIMITATION: free only for public repos; needs GitHub Advanced Security for private
USE_FOR: complex vulnerability patterns that pattern-matching misses
TOOL:BANDIT¶
SCOPE: Python only
USE_FOR: eval, exec, hardcoded passwords, weak crypto
RUN: bandit -r ./python_code/
TOOL:CHECKOV¶
SCOPE: Terraform, CloudFormation, K8s manifests, Dockerfiles, Helm charts
STRENGTH: CIS Benchmark checks built in, policy-as-code
USE_FOR: infrastructure security scanning
RUN: checkov -d .
SCA (Dependency Scanning)¶
TOOL:TRIVY [RECOMMENDED]¶
SCOPE: container images, filesystems, git repos, K8s manifests
STRENGTH: single tool for image + dependency + IaC + secrets scanning
EXTRAS: SBOM generation (CycloneDX/SPDX)
RUN: trivy fs . --severity CRITICAL,HIGH
RUN: trivy image
RUN: trivy sbom --format cyclonedx .
TOOL:NPM_AUDIT¶
SCOPE: direct npm dependencies
LIMITATION: no transitive analysis, no license checking, noisy
USE_FOR: basic CI gate — supplement with Trivy or Snyk
TOOL:SNYK¶
STRENGTH: best vulnerability DB, fix PRs, license compliance, reachability analysis
USE_FOR: when you need to confirm if a CVE is actually reachable from your code
TOOL:SOCKET_DEV¶
SCOPE: npm, PyPI
STRENGTH: detects supply chain attacks beyond CVEs — typosquatting, install scripts, obfuscation
USE_FOR: new dependency evaluation
TOOL:RENOVATE¶
USE_FOR: automated dependency update PRs
ADVANTAGE_OVER_DEPENDABOT: more configurable, auto-merge for patches, monorepo support
ACCESSIBILITY¶
TOOL:AXE_CORE [INDUSTRY STANDARD]¶
COVERAGE: ~57% of programmatically testable WCAG 2.1 AA issues
INTEGRATION: @axe-core/playwright, cypress-axe, browser extension
CRITICAL: automated pass != accessible. catches structure, misses interaction/UX
RUN: npx @axe-core/cli https://localhost:3000
TOOL:PA11Y¶
TYPE: CLI/CI tool wrapping HTML_CodeSniffer or axe
USE_FOR: CI pipeline integration
RUN: pa11y https://localhost:3000
TOOL:WAVE¶
TYPE: browser extension
USE_FOR: visual overlay of issues in context, manual review
TOOL:LIGHTHOUSE¶
TYPE: Chrome DevTools built-in
USE_FOR: quick accessibility score (uses axe-core internally)
MANUAL:SCREEN_READERS [MANDATORY]¶
NVDA: Windows, free — primary testing tool
VOICEOVER: macOS/iOS, built-in — test with Safari
JAWS: Windows, commercial — enterprise standard
NOTE: automated catches <40%. screen reader testing is NOT optional.
TOOL:COLOUR_CONTRAST_ANALYSER¶
SOURCE: TPGi
USE_FOR: WCAG contrast ratio (4.5:1 normal text, 3:1 large text)
SECRETS¶
TOOL:GITLEAKS [RECOMMENDED]¶
USE_FOR: pre-commit hooks + CI scanning
CONFIG: .gitleaks.toml
RUN: gitleaks detect --source .
TOOL:TRUFFLEHOG¶
STRENGTH: deep git history scanning, finds secrets in old commits
USE_FOR: initial repository audit, onboarding
RUN: trufflehog git file://. --only-verified
TOOL:DETECT_SECRETS¶
STRENGTH: baseline-aware — won't re-flag known/allowlisted secrets
USE_FOR: pre-commit in repos with historical secrets
KUBERNETES¶
TOOL:KUBE_BENCH¶
WHAT: CIS Kubernetes Benchmark checks
RUN_AS: Job or DaemonSet
RUN: kube-bench run --targets node,master
TOOL:KUBESCAPE¶
WHAT: NSA/CISA hardening guide + CIS Benchmark + MITRE ATT&CK for K8s
RUN: kubescape scan framework nsa
TOOL:FALCO¶
WHAT: eBPF runtime security monitoring
DETECTS: shell in container, unexpected network, sensitive file access
USE_FOR: production runtime anomaly detection
TOOL:KYVERNO¶
WHAT: K8s admission controller, policy enforcement
USE_FOR: no-privileged containers, required labels, image source restrictions
ADVANTAGE: YAML-based, lower learning curve than OPA/Rego
DAST (Dynamic Testing)¶
TOOL:OWASP_ZAP¶
TYPE: open-source DAST proxy
USE_FOR: automated scanning, manual testing, API scanning
TOOL:BURP_SUITE¶
TYPE: commercial DAST
USE_FOR: deep manual security testing (more powerful than ZAP)
HTTP_SECURITY¶
TOOL:SECURITYHEADERS — securityheaders.com — quick header check
TOOL:MOZILLA_OBSERVATORY — comprehensive HTTP security config check
TOOL:SSL_LABS — Qualys TLS configuration testing and grading
PIPELINE:SELECTION¶
ON_PROJECT_ONBOARDING¶
RUN: trivy (all images + deps)
RUN: gitleaks (full git history)
RUN: kube-bench (cluster)
RUN: lighthouse (accessibility)
RUN: securityheaders.com (all public endpoints)
ON_EVERY_PR¶
RUN: semgrep (custom + owasp-top-ten)
RUN: eslint security plugins
RUN: trivy fs (dependencies)
RUN: axe-core via playwright
RUN: gitleaks (changed files only)
ON_PRE_RELEASE¶
RUN: trivy (full: images + deps + IaC)
DO: manual code review (auth, data handling)
DO: screen reader testing (NVDA + VoiceOver)
RUN: OWASP ZAP automated scan
DO: colour contrast check on new UI
DO: cookie consent verification
FALSE_POSITIVE_RATES¶
SAST_PATTERN_MATCHING: 30-70% FP — mitigate with custom rules, documented suppressions
SAST_TAINT_ANALYSIS: 10-30% FP — better but still needs triage
SCA_CVE_MATCHING: 20-50% FP context-dependent — use reachability analysis
ACCESSIBILITY_AUTO: low FP but HIGH false negatives — always supplement manual
SECRETS_DETECTION: 10-20% FP — use baseline files, custom allowlists
IF signal-to-noise ratio drops below 50% THEN developers ignore all findings THEN tool is counterproductive
TRACK: signal-to-noise ratio as KPI per project