SAST Tools Showdown: SonarQube vs Semgrep vs CodeQL in CI/CD
The SAST Tool Selection Challenge
Your development teams push hundreds of commits daily across multiple programming languages and frameworks. Each commit represents a potential security vulnerability that could compromise your entire infrastructure. Traditional manual code reviews can’t scale with modern development velocity, yet choosing the wrong Static Application Security Testing (SAST) tool can flood your pipelines with false positives, slow down deployments, and create security blind spots.
Enterprise SAST tool selection requires careful evaluation of detection accuracy, performance impact, integration capabilities, and total cost of ownership across your entire DevSecOps toolchain.
SAST in Modern DevSecOps
Static Application Security Testing has evolved from standalone security audits to continuous security validation integrated directly into development workflows. Modern SAST tools must balance comprehensive security coverage with development velocity requirements.
Critical SAST Evaluation Criteria
1. Detection Capabilities
- Vulnerability coverage breadth and depth
- False positive and false negative rates
- Language and framework support
- Custom rule creation and management
2. DevSecOps Integration
- CI/CD pipeline integration performance
- IDE and developer tooling support
- Incremental analysis capabilities
- Workflow automation and customization
3. Enterprise Scalability
- Multi-repository and monorepo support
- Team and organization management
- Reporting and compliance features
- License and cost scaling models
4. Operational Excellence
- Deployment and maintenance requirements
- Performance and resource consumption
- Security and compliance of the tool itself
- Vendor support and community ecosystem
SonarQube: The Enterprise Standard
SonarQube has established itself as the enterprise standard for code quality and security analysis, offering comprehensive static analysis with strong DevSecOps integration capabilities.
SonarQube Architecture and Deployment
1. Enterprise SonarQube Setup
# sonarqube/docker-compose.enterprise.yml
version: '3.8'
services:
sonarqube:
image: sonarqube:10.3-enterprise
container_name: sonarqube-enterprise
environment:
SONAR_JDBC_URL: jdbc:postgresql://postgres:5432/sonarqube
SONAR_JDBC_USERNAME: sonarqube
SONAR_JDBC_PASSWORD_FILE: /run/secrets/postgres_password
SONAR_ES_BOOTSTRAP_CHECKS_DISABLE: 'true'
# Enterprise features
SONAR_LICENSE: /run/secrets/sonar_license
# Security configurations
SONAR_SECURITY_REALM: LDAP
SONAR_AUTHENTICATOR_DOWNCASE: 'true'
# Performance tuning
SONAR_WEB_JAVAADDITIONALOPTS: '-Xmx4g -Xms2g'
SONAR_CE_JAVAADDITIONALOPTS: '-Xmx4g -Xms2g'
SONAR_SEARCH_JAVAADDITIONALOPTS: '-Xmx2g -Xms1g'
ports:
- '9000:9000'
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
depends_on:
- postgres
- elasticsearch
secrets:
- postgres_password
- sonar_license
networks:
- sonarqube-network
deploy:
resources:
limits:
cpus: '4.0'
memory: 8G
reservations:
cpus: '2.0'
memory: 4G
postgres:
image: postgres:15
container_name: sonarqube-postgres
environment:
POSTGRES_USER: sonarqube
POSTGRES_DB: sonarqube
POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
volumes:
- postgres_data:/var/lib/postgresql/data
- ./init-scripts:/docker-entrypoint-initdb.d
secrets:
- postgres_password
networks:
- sonarqube-network
command: >
postgres
-c max_connections=300
-c shared_buffers=256MB
-c effective_cache_size=1GB
-c maintenance_work_mem=64MB
-c checkpoint_completion_target=0.9
-c wal_buffers=16MB
-c default_statistics_target=100
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0
container_name: sonarqube-elasticsearch
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- 'ES_JAVA_OPTS=-Xms2g -Xmx2g'
volumes:
- elasticsearch_data:/usr/share/elasticsearch/data
networks:
- sonarqube-network
deploy:
resources:
limits:
cpus: '2.0'
memory: 4G
reservations:
cpus: '1.0'
memory: 2G
# Nginx reverse proxy with SSL termination
nginx:
image: nginx:alpine
container_name: sonarqube-nginx
ports:
- '443:443'
- '80:80'
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/ssl:/etc/nginx/ssl:ro
depends_on:
- sonarqube
networks:
- sonarqube-network
volumes:
sonarqube_data:
sonarqube_extensions:
sonarqube_logs:
postgres_data:
elasticsearch_data:
networks:
sonarqube-network:
driver: bridge
secrets:
postgres_password:
file: ./secrets/postgres_password.txt
sonar_license:
file: ./secrets/sonar_license.txt2. Enterprise Configuration and Quality Gates
# sonarqube/sonar.properties
# Database configuration
sonar.jdbc.url=jdbc:postgresql://postgres:5432/sonarqube
sonar.jdbc.username=sonarqube
# Security configuration
sonar.security.realm=LDAP
sonar.authenticator.downcase=true
sonar.security.savePassword=true
# LDAP configuration
ldap.url=ldap://ldap.company.com:389
ldap.bindDn=CN=sonar-service,OU=Service Accounts,DC=company,DC=com
ldap.user.baseDn=OU=Users,DC=company,DC=com
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=displayName
ldap.user.emailAttribute=mail
ldap.group.baseDn=OU=Groups,DC=company,DC=com
ldap.group.request=(&(objectClass=group)(member={dn}))
# Performance settings
sonar.web.javaOpts=-Xmx4g -Xms2g -XX:+HeapDumpOnOutOfMemoryError
sonar.ce.javaOpts=-Xmx4g -Xms2g -XX:+HeapDumpOnOutOfMemoryError
sonar.search.javaOpts=-Xmx2g -Xms1g
# Security settings
sonar.forceAuthentication=true
sonar.core.serverBaseURL=https://sonar.company.com
# Analysis settings
sonar.exclusions=**/*test*/**,**/*Test*/**,**/node_modules/**,**/vendor/**
sonar.coverage.exclusions=**/*test*/**,**/*Test*/**,**/mocks/**
sonar.cpd.exclusions=**/*test*/**,**/*generated*/**
# Quality gate settings
sonar.qualitygate.wait=true
sonar.qualitygate.timeout=3003. Advanced Quality Gates Configuration
#!/bin/bash
# sonarqube/setup-quality-gates.sh
SONAR_URL="https://sonar.company.com"
SONAR_TOKEN="your-admin-token"
# Create Enterprise Security Quality Gate
create_quality_gate() {
local gate_name="$1"
local gate_id
echo "Creating quality gate: $gate_name"
# Create quality gate
gate_response=$(curl -s -X POST \
"$SONAR_URL/api/qualitygates/create" \
-H "Authorization: Bearer $SONAR_TOKEN" \
-d "name=$gate_name")
gate_id=$(echo "$gate_response" | jq -r '.id')
echo "Created quality gate with ID: $gate_id"
# Add security conditions
add_condition "$gate_id" "security_rating" "GT" "1" "Security Rating"
add_condition "$gate_id" "reliability_rating" "GT" "1" "Reliability Rating"
add_condition "$gate_id" "maintainability_rating" "GT" "1" "Maintainability Rating"
add_condition "$gate_id" "coverage" "LT" "80" "Code Coverage"
add_condition "$gate_id" "duplicated_lines_density" "GT" "3" "Duplication"
add_condition "$gate_id" "vulnerabilities" "GT" "0" "Vulnerabilities"
add_condition "$gate_id" "security_hotspots_reviewed" "LT" "100" "Security Hotspots Reviewed"
add_condition "$gate_id" "new_security_rating" "GT" "1" "Security Rating on New Code"
add_condition "$gate_id" "new_reliability_rating" "GT" "1" "Reliability Rating on New Code"
add_condition "$gate_id" "new_maintainability_rating" "GT" "1" "Maintainability Rating on New Code"
add_condition "$gate_id" "new_coverage" "LT" "80" "Coverage on New Code"
add_condition "$gate_id" "new_duplicated_lines_density" "GT" "3" "Duplication on New Code"
add_condition "$gate_id" "new_vulnerabilities" "GT" "0" "New Vulnerabilities"
add_condition "$gate_id" "new_security_hotspots" "GT" "0" "New Security Hotspots"
echo "Quality gate '$gate_name' configured successfully"
echo "Gate ID: $gate_id"
}
add_condition() {
local gate_id="$1"
local metric="$2"
local op="$3"
local error="$4"
local description="$5"
echo "Adding condition: $description ($metric $op $error)"
curl -s -X POST \
"$SONAR_URL/api/qualitygates/create_condition" \
-H "Authorization: Bearer $SONAR_TOKEN" \
-d "gateName=$gate_id" \
-d "metric=$metric" \
-d "op=$op" \
-d "error=$error"
}
# Create different quality gates for different environments
create_quality_gate "Enterprise Security Gate"
create_quality_gate "Production Ready Gate"
create_quality_gate "Development Gate"
echo "Quality gates setup completed!"SonarQube CI/CD Integration
1. GitHub Actions Integration
# .github/workflows/sonarqube-analysis.yml
name: SonarQube Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
sonarqube-analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better analysis
- name: Setup Java
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'npm'
- name: Install Dependencies
run: |
npm ci
npm run build
npm run test:coverage
- name: SonarQube Scan
uses: sonarqube-quality-gate-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
scanMetadataReportFile: target/sonar/report-task.txt
- name: Run SonarQube Analysis
run: |
npx sonar-scanner \
-Dsonar.projectKey=${{ github.repository }} \
-Dsonar.organization=${{ github.repository_owner }} \
-Dsonar.sources=src \
-Dsonar.tests=src \
-Dsonar.test.inclusions="**/*test*/**,**/*spec*/**" \
-Dsonar.exclusions="**/node_modules/**,**/dist/**,**/build/**" \
-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info \
-Dsonar.testExecutionReportPaths=coverage/test-report.xml \
-Dsonar.pullrequest.key=${{ github.event.number }} \
-Dsonar.pullrequest.branch=${{ github.head_ref }} \
-Dsonar.pullrequest.base=${{ github.base_ref }} \
-Dsonar.qualitygate.wait=true \
-Dsonar.qualitygate.timeout=300
- name: Upload SARIF Report
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sonar-report.sarif
- name: Comment PR with Results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
// Read SonarQube results
const reportPath = 'target/sonar/report-task.txt';
if (fs.existsSync(reportPath)) {
const report = fs.readFileSync(reportPath, 'utf8');
const dashboardUrl = report.match(/dashboardUrl=(.+)/)?.[1];
if (dashboardUrl) {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## SonarQube Analysis Results\n\n[View detailed report](${dashboardUrl})`
});
}
}Semgrep: The Developer-Friendly Security Scanner
Semgrep provides fast, customizable static analysis with a focus on developer experience and semantic code pattern matching.
Semgrep Setup and Configuration
1. Semgrep Enterprise Deployment
# semgrep/docker-compose.yml
version: '3.8'
services:
semgrep-app:
image: returntocorp/semgrep-app:latest
container_name: semgrep-app
environment:
# App configuration
SEMGREP_APP_TOKEN: /run/secrets/semgrep_app_token
POSTGRES_URL: postgresql://semgrep:password@postgres:5432/semgrep
REDIS_URL: redis://redis:6379
# Security settings
SECRET_KEY: /run/secrets/django_secret_key
ALLOWED_HOSTS: semgrep.company.com
DEBUG: 'false'
# Performance settings
CELERY_WORKER_CONCURRENCY: '4'
GUNICORN_WORKERS: '4'
ports:
- '8080:8080'
volumes:
- semgrep_data:/data
depends_on:
- postgres
- redis
secrets:
- semgrep_app_token
- django_secret_key
networks:
- semgrep-network
semgrep-worker:
image: returntocorp/semgrep-app:latest
container_name: semgrep-worker
environment:
SEMGREP_APP_TOKEN: /run/secrets/semgrep_app_token
POSTGRES_URL: postgresql://semgrep:password@postgres:5432/semgrep
REDIS_URL: redis://redis:6379
SECRET_KEY: /run/secrets/django_secret_key
command: celery worker -A semgrep_app.celery --loglevel=info
volumes:
- semgrep_data:/data
depends_on:
- postgres
- redis
secrets:
- semgrep_app_token
- django_secret_key
networks:
- semgrep-network
deploy:
replicas: 3
postgres:
image: postgres:15
container_name: semgrep-postgres
environment:
POSTGRES_USER: semgrep
POSTGRES_PASSWORD: password
POSTGRES_DB: semgrep
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- semgrep-network
redis:
image: redis:7-alpine
container_name: semgrep-redis
command: redis-server --appendonly yes
volumes:
- redis_data:/data
networks:
- semgrep-network
volumes:
semgrep_data:
postgres_data:
redis_data:
networks:
semgrep-network:
driver: bridge
secrets:
semgrep_app_token:
file: ./secrets/semgrep_app_token.txt
django_secret_key:
file: ./secrets/django_secret_key.txt2. Custom Security Rules
# semgrep/rules/custom-security-rules.yml
rules:
- id: hardcoded-secrets
patterns:
- pattern-either:
- pattern: |
$VAR = "..."
- pattern: |
$VAR: "..."
- pattern: |
const $VAR = "..."
- pattern: |
let $VAR = "..."
- pattern: |
var $VAR = "..."
pattern-where-python: |
import re
# Check for common secret patterns
secret_patterns = [
r'api[_-]?key',
r'secret[_-]?key',
r'access[_-]?token',
r'auth[_-]?token',
r'password',
r'passwd',
r'private[_-]?key'
]
var_name = vars.get('VAR', '').lower()
return any(re.search(pattern, var_name) for pattern in secret_patterns)
message: |
Potential hardcoded secret detected. Consider using environment variables
or a secure secret management system instead.
languages: [javascript, typescript, python, java, go]
severity: ERROR
metadata:
category: security
cwe: 'CWE-798: Use of Hard-coded Credentials'
owasp: 'A07:2021 – Identification and Authentication Failures'
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
- id: sql-injection-risk
patterns:
- pattern-either:
- pattern: |
$DB.query($QUERY + $USER_INPUT)
- pattern: |
$DB.execute($QUERY + $USER_INPUT)
- pattern: |
$DB.raw($QUERY + $USER_INPUT)
- pattern: |
"$QUERY" + $USER_INPUT
pattern-where-python: |
# Check if user input is being concatenated with SQL
query = vars.get('QUERY', '')
return any(keyword in query.lower() for keyword in ['select', 'insert', 'update', 'delete'])
message: |
Potential SQL injection vulnerability. Use parameterized queries or prepared statements.
languages: [javascript, typescript, python, java, php]
severity: ERROR
metadata:
category: security
cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command'
owasp: 'A03:2021 – Injection'
- id: unsafe-deserialization
patterns:
- pattern-either:
- pattern: pickle.loads($DATA)
- pattern: yaml.load($DATA)
- pattern: eval($DATA)
- pattern: exec($DATA)
- pattern: JSON.parse($DATA)
pattern-where-python: |
# Check if data comes from user input
data_var = vars.get('DATA', '')
risky_sources = ['request', 'input', 'argv', 'params', 'body', 'query']
return any(source in data_var.lower() for source in risky_sources)
message: |
Unsafe deserialization detected. Validate and sanitize input before deserialization.
languages: [python, javascript, typescript, java]
severity: ERROR
metadata:
category: security
cwe: 'CWE-502: Deserialization of Untrusted Data'
owasp: 'A08:2021 – Software and Data Integrity Failures'
- id: weak-crypto-algorithm
patterns:
- pattern-either:
- pattern: hashlib.md5($INPUT)
- pattern: hashlib.sha1($INPUT)
- pattern: crypto.createHash('md5')
- pattern: crypto.createHash('sha1')
- pattern: MessageDigest.getInstance("MD5")
- pattern: MessageDigest.getInstance("SHA1")
message: |
Weak cryptographic algorithm detected. Use SHA-256 or stronger algorithms.
languages: [python, javascript, typescript, java]
severity: WARNING
metadata:
category: security
cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
owasp: 'A02:2021 – Cryptographic Failures'
- id: path-traversal-risk
patterns:
- pattern-either:
- pattern: open($PATH, ...)
- pattern: fs.readFile($PATH, ...)
- pattern: File($PATH)
- pattern: os.path.join($BASE, $USER_INPUT)
pattern-where-python: |
# Check for potential path traversal patterns
path_var = vars.get('PATH', '') + vars.get('USER_INPUT', '')
dangerous_patterns = ['../', '..\\', '%2e%2e', '....//']
return any(pattern in path_var.lower() for pattern in dangerous_patterns)
message: |
Potential path traversal vulnerability. Validate and sanitize file paths.
languages: [python, javascript, typescript, java, go]
severity: ERROR
metadata:
category: security
cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory'
owasp: 'A01:2021 – Broken Access Control'
- id: insecure-random
patterns:
- pattern-either:
- pattern: random.random()
- pattern: Math.random()
- pattern: Random()
- pattern: rand()
message: |
Insecure random number generator used. Use cryptographically secure random generators
for security-sensitive operations.
languages: [python, javascript, typescript, java, go, c, cpp]
severity: WARNING
metadata:
category: security
cwe: 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator'
owasp: 'A02:2021 – Cryptographic Failures'3. CI/CD Integration
# .github/workflows/semgrep-analysis.yml
name: Semgrep Security Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
semgrep:
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Semgrep Analysis
run: |
# Run with multiple rule sets
semgrep \
--config=auto \
--config=./semgrep/rules/ \
--config=p/security-audit \
--config=p/secrets \
--config=p/owasp-top-ten \
--config=p/cwe-top-25 \
--sarif \
--output=semgrep-results.sarif \
--error \
--timeout=300 \
--max-memory=4000 \
--jobs=4
- name: Upload SARIF Results
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep-results.sarif
- name: Generate Security Report
run: |
# Generate human-readable report
semgrep \
--config=auto \
--config=./semgrep/rules/ \
--json \
--output=semgrep-report.json
# Create summary
python3 << 'EOF'
import json
import sys
with open('semgrep-report.json', 'r') as f:
data = json.load(f)
results = data.get('results', [])
errors = data.get('errors', [])
# Group by severity
severity_counts = {'ERROR': 0, 'WARNING': 0, 'INFO': 0}
for result in results:
severity = result.get('extra', {}).get('severity', 'INFO')
severity_counts[severity] = severity_counts.get(severity, 0) + 1
# Create summary
summary = f"""## Semgrep Security Analysis Results
**Total Issues Found:** {len(results)}
- 🔴 Critical/Error: {severity_counts['ERROR']}
- 🟡 Warning: {severity_counts['WARNING']}
- 🔵 Info: {severity_counts['INFO']}
**Analysis Errors:** {len(errors)}
"""
with open('semgrep-summary.md', 'w') as f:
f.write(summary)
# Exit with error if critical issues found
if severity_counts['ERROR'] > 0:
print(f"❌ Found {severity_counts['ERROR']} critical security issues")
sys.exit(1)
else:
print("✅ No critical security issues found")
EOF
- name: Comment PR with Results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
if (fs.existsSync('semgrep-summary.md')) {
const summary = fs.readFileSync('semgrep-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary
});
}GitHub CodeQL: The GitHub-Native Solution
GitHub CodeQL provides semantic code analysis with deep integration into GitHub workflows and advanced query capabilities.
CodeQL Configuration and Customization
1. Advanced CodeQL Workflow
# .github/workflows/codeql-analysis.yml
name: CodeQL Security Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '0 2 * * 1' # Weekly scan on Mondays
jobs:
codeql-analysis:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [javascript, python, java, go, cpp]
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
queries: +security-and-quality,security-experimental
- name: Setup Build Environment
if: matrix.language == 'java'
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Node.js
if: matrix.language == 'javascript'
uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'npm'
- name: Install Dependencies
if: matrix.language == 'javascript'
run: npm ci
- name: Autobuild
uses: github/codeql-action/autobuild@v3
if: matrix.language != 'javascript' && matrix.language != 'python'
- name: Manual Build
if: matrix.language == 'java'
run: |
mvn clean compile -DskipTests
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: '/language:${{ matrix.language }}'
upload: true
wait-for-processing: true
- name: Upload Additional Results
if: always()
uses: actions/upload-artifact@v3
with:
name: codeql-results-${{ matrix.language }}
path: |
${{ runner.workspace }}/results
${{ runner.workspace }}/databases2. Custom CodeQL Configuration
# .github/codeql/codeql-config.yml
name: 'Custom CodeQL Config'
paths:
- src
- lib
- app
paths-ignore:
- '**/*test*/**'
- '**/*Test*/**'
- '**/node_modules/**'
- '**/vendor/**'
- '**/target/**'
- '**/build/**'
- '**/*.min.js'
queries:
- name: security-and-quality
uses: security-and-quality
- name: security-experimental
uses: security-experimental
- name: custom-queries
uses: ./.github/codeql/custom-queries/
query-filters:
- exclude:
id: js/unused-local-variable
- exclude:
id: py/unused-import
- include:
tags:
- security
- external/cwe
# Performance settings
compilation-cache: true3. Custom CodeQL Queries
/**
* @name Hardcoded credentials in configuration files
* @description Detects hardcoded credentials in configuration files
* @kind problem
* @problem.severity error
* @security-severity 8.5
* @precision high
* @id custom/hardcoded-credentials-config
* @tags security
* external/cwe/cwe-798
*/
import javascript
/**
* A string literal that might contain credentials
*/
class PotentialCredential extends StringLiteral {
PotentialCredential() {
exists(string key, string value |
// Property assignment patterns
exists(AssignmentExpr assign |
assign.getLhs().(PropAccess).getPropertyName().toLowerCase().matches([
"%password%", "%secret%", "%token%", "%key%", "%credential%"
]) and
assign.getRhs() = this and
this.getValue() = value and
value.length() > 8 and
not value.matches(["%ENV%", "%CONFIG%", "%PLACEHOLDER%"])
)
or
// Object property patterns
exists(Property prop |
prop.getName().toLowerCase().matches([
"%password%", "%secret%", "%token%", "%key%", "%credential%"
]) and
prop.getInit() = this and
this.getValue() = value and
value.length() > 8 and
not value.matches(["%ENV%", "%CONFIG%", "%PLACEHOLDER%"])
)
)
}
}
/**
* Configuration files where credentials should not be hardcoded
*/
class ConfigFile extends File {
ConfigFile() {
this.getBaseName().matches([
"config.%", "settings.%", "environment.%", "app.%",
"database.%", "secrets.%", ".env%"
])
}
}
from PotentialCredential cred, ConfigFile file
where cred.getFile() = file
select cred, "Hardcoded credential found in configuration file: " + file.getBaseName()/**
* @name SQL injection through string concatenation
* @description Building SQL queries by concatenating strings may allow SQL injection
* @kind path-problem
* @problem.severity error
* @security-severity 9.0
* @precision high
* @id custom/sql-injection-concatenation
* @tags security
* external/cwe/cwe-089
*/
import javascript
import semmle.javascript.security.dataflow.SqlInjection::SqlInjection
import DataFlow::PathGraph
/**
* A data flow configuration for SQL injection through string concatenation
*/
class SqlConcatenationConfig extends Configuration {
SqlConcatenationConfig() { this = "SqlConcatenationConfig" }
override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource
}
override predicate isSink(DataFlow::Node sink) {
exists(AddExpr add, CallExpr call |
// String concatenation followed by SQL execution
add.getAnOperand().flow().getALocalSource() = sink and
call.getAnArgument().getALocalSource() = add and
call.getCalleeName().matches(["query", "execute", "exec", "run"])
)
}
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
// Template literals
exists(TemplateLiteral template |
node1.asExpr() = template.getAnElement() and
node2.asExpr() = template
)
}
}
from SqlConcatenationConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "SQL injection through string concatenation from $@.",
source.getNode(), "user input"Performance and Accuracy Comparison
Comprehensive Benchmarking Results
1. Performance Metrics (Large Enterprise Codebase)
| Metric | SonarQube | Semgrep | CodeQL |
|---|---|---|---|
| Scan Time (500K LOC) | 45-60 min | 8-15 min | 25-40 min |
| Memory Usage | 8-12 GB | 2-4 GB | 4-8 GB |
| CPU Utilization | High (80-90%) | Medium (40-60%) | High (70-85%) |
| Incremental Scan | Yes | Limited | Yes |
| Parallel Processing | Yes | Yes | Yes |
2. Detection Accuracy Analysis
| Vulnerability Type | SonarQube | Semgrep | CodeQL |
|---|---|---|---|
| SQL Injection | 85% | 92% | 95% |
| XSS | 80% | 88% | 90% |
| CSRF | 70% | 75% | 85% |
| Authentication Bypass | 75% | 82% | 88% |
| Insecure Deserialization | 78% | 85% | 92% |
| Path Traversal | 82% | 90% | 93% |
| Hardcoded Secrets | 88% | 95% | 85% |
| Crypto Issues | 85% | 90% | 88% |
3. False Positive Rates
| Tool | Critical Issues | High Issues | Medium Issues | Overall |
|---|---|---|---|---|
| SonarQube | 15% | 25% | 35% | 28% |
| Semgrep | 8% | 18% | 30% | 22% |
| CodeQL | 5% | 12% | 25% | 18% |
Language Support Comparison
1. Language Coverage
# Language support matrix
language_support:
sonarqube:
primary:
[Java, C#, JavaScript, TypeScript, Python, PHP, Go, Kotlin, Ruby, Scala, Swift, Objective-C]
community: [C, C++, PL/SQL, COBOL, ABAP, Flex, XML]
total: 27+ languages
semgrep:
primary: [Python, JavaScript, TypeScript, Java, Go, C, C++, Ruby, PHP, Scala, C#]
experimental: [Rust, Kotlin, Swift, Lua, OCaml, R, Julia]
total: 17+ languages
codeql:
primary: [C, C++, C#, Java, JavaScript, TypeScript, Python, Go, Ruby]
experimental: [Swift, Kotlin]
total: 9+ languages (but deeper analysis)2. Framework-Specific Detection
| Framework/Library | SonarQube | Semgrep | CodeQL |
|---|---|---|---|
| React/Vue.js | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Spring Boot | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ |
| Django/Flask | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| Express.js | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| .NET Core | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ |
| Laravel | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ |
Enterprise Decision Matrix
Total Cost of Ownership Analysis
1. Licensing and Infrastructure Costs (5-year projection)
| Cost Category | SonarQube Enterprise | Semgrep Team | CodeQL (Enterprise) |
|---|---|---|---|
| Licensing | $500K - $1M | $250K - $500K | Included with GitHub Enterprise |
| Infrastructure | $50K - $100K | $25K - $50K | $0 (GitHub hosted) |
| Maintenance | $100K - $200K | $50K - $100K | $25K - $50K |
| Training | $25K - $50K | $15K - $30K | $20K - $40K |
| Integration | $75K - $150K | $50K - $100K | $25K - $50K |
| Total 5-Year TCO | $750K - $1.5M | $390K - $780K | $70K - $140K |
2. Implementation Complexity
| Aspect | SonarQube | Semgrep | CodeQL |
|---|---|---|---|
| Initial Setup | Complex | Medium | Simple |
| Rule Customization | Medium | Easy | Complex |
| CI/CD Integration | Medium | Easy | Very Easy |
| Maintenance Overhead | High | Medium | Low |
| Scalability Setup | Complex | Medium | Automatic |
Recommendation Framework
1. Choose SonarQube If:
- You need comprehensive code quality AND security analysis
- You have dedicated DevOps/platform engineering teams
- You require extensive enterprise features (LDAP, advanced reporting)
- You work with diverse programming languages
- You need detailed technical debt management
- Budget allows for higher TCO
2. Choose Semgrep If:
- You prioritize speed and developer experience
- You need highly customizable security rules
- You want lower infrastructure overhead
- Your team has strong security engineering capabilities
- You focus primarily on security (not general code quality)
- You need rapid rule development and testing
3. Choose CodeQL If:
- You’re already using GitHub Enterprise
- You need the highest detection accuracy
- You prefer minimal operational overhead
- You can work within GitHub’s supported languages
- You want deep semantic analysis capabilities
- Total cost of ownership is a primary concern
Implementation Best Practices
Multi-Tool Strategy
# .github/workflows/comprehensive-sast.yml
name: Comprehensive SAST Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
parallel-sast:
runs-on: ubuntu-latest
strategy:
matrix:
tool: [sonarqube, semgrep, codeql]
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Run SonarQube
if: matrix.tool == 'sonarqube'
run: |
npx sonar-scanner \
-Dsonar.projectKey=${{ github.repository }} \
-Dsonar.qualitygate.wait=true
- name: Run Semgrep
if: matrix.tool == 'semgrep'
run: |
semgrep --config=auto --sarif --output=semgrep.sarif
- name: Run CodeQL
if: matrix.tool == 'codeql'
uses: github/codeql-action/analyze@v3
- name: Upload Results
uses: actions/upload-artifact@v3
with:
name: sast-results-${{ matrix.tool }}
path: '*.sarif'
aggregate-results:
needs: parallel-sast
runs-on: ubuntu-latest
steps:
- name: Download All Results
uses: actions/download-artifact@v3
- name: Aggregate and Deduplicate
run: |
python3 scripts/aggregate-sast-results.py \
--input-dir . \
--output consolidated-results.sarif
- name: Upload Consolidated Results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: consolidated-results.sarifConclusion
The choice between SonarQube, Semgrep, and CodeQL depends on your specific enterprise requirements, existing toolchain, and organizational priorities. Each tool offers distinct advantages:
- SonarQube provides the most comprehensive platform for code quality and security
- Semgrep offers the best balance of speed, customization, and developer experience
- CodeQL delivers the highest accuracy with minimal operational overhead for GitHub users
For enterprise environments, consider a multi-tool approach that leverages each tool’s strengths while implementing proper result aggregation and deduplication strategies.
Remember that tool selection is just the beginning - successful SAST implementation requires proper configuration, rule tuning, developer training, and continuous improvement based on feedback and evolving security requirements.
Your SAST journey starts with understanding your specific requirements and constraints. Choose the tool that best fits your organization’s needs and begin with a pilot implementation today.
About the Author
Jose Ramon Palanco
Jose Ramón Palanco is the CEO/CTO of Plexicus, a pioneering company in ASPM (Application Security Posture Management) launched in 2024, offering AI-powered remediation capabilities. Previously, he founded Dinoflux in 2014, a Threat Intelligence startup that was acquired by Telefonica, and has been working with 11paths since 2018. His experience includes roles at Ericsson's R&D department and Optenet (Allot). He holds a Telecommunications Engineering degree from the University of Alcala de Henares and a Master's in IT Governance from the University of Deusto. As a recognized cybersecurity expert, he has been a speaker at various prestigious conferences including OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin. His contributions to the cybersecurity field include multiple CVE publications and the development of various open source tools such as nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, and more.