Static Application Security Testing (SAST) in CI/CD

A lot of the companies we are working with have asked about Static Application Security Testing (SAST). After discovering Salus, a security scanner coordinator, we were eager to dig in to see if it would fit the bill.

CircleCI recently released a configuration package and registry, so we wrote a CircleCI Orb (with contributions from Raphael Salas at WeWork) to run Salus as part of a CI/CD process, which was merged upstream.

It was a pleasure working with the Coinbase folks, who authored Salus, and Raphael! We're looking forward to building more around this Apache-licensed tool.

You can use it by adding the following:

.circleci/config.yml

orbs:
  salus: federacy/salus@2.5.1

workflows:
  main:
    jobs:
      - salus/scan:
          enforced_scanners: "none"

Further documentation here: https://github.com/coinbase/salus/tree/master/integrations/circleci