This note introduces useful tools that scan the libraries your developers use and alert you if a vulnerability is found in a library or one of its dependent libraries.
-
OWASP Dependency Check
An open source tool that scans libraries for several languages like Java, JS, and Python. It can run offline and integrate with CI/CD.
-
GitHub Dependabot
A GitHub tool that scans your repositories on every commit. You can also set it to open automatic pull requests that fix vulnerabilities.
https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
-
npm audit and npm audit fix
If you write JS code, run npm audit before committing. It gives you a full list of vulnerabilities in your libraries. You can apply automatic fixes for minor updates with npm audit fix.
-
Snyk and Whitesource Bolt
These tools provide quick value with some limits on free usage.
Snyk lets you create a free account, connect your Git provider, and scan selected projects. It supports many languages and has a clear web interface.
Whitesource Bolt connects to GitHub or Azure. It runs checks after each commit. The free tier allows up to 5 scans per day.
https://www.whitesourcesoftware.com/free-developer-tools/bolt/
For more tools, check the OWASP SCA list: