代码质量与安全工具完整调研报告 (2025版)
📋 快速导航
🔍 静态代码分析工具
1. SonarQube ⭐⭐⭐⭐⭐
- 官网: https://www.sonarqube.org/
- GitHub: SonarSource/sonarqube (⭐9k+)
- 定价: 社区版免费,企业版收费
核心特点
- 企业级: 功能最全面
- 多语言: 30+编程语言
- 质量门禁: 强制质量标准
- 技术债务: 量化代码质量
支持语言
Java, C#, JavaScript, TypeScript, Python,
PHP, Go, Ruby, Kotlin, Swift, C/C++,
HTML, CSS, SQL, XML, YAML等
部署方式
Docker部署:
docker run -d --name sonarqube \
-p 9000:9000 \
-e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true \
sonarqube:latest
# 访问 http://localhost:9000
# 默认账号: admin / admin
Docker Compose:
version: "3"
services:
sonarqube:
image: sonarqube:community
depends_on:
- db
environment:
SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
SONAR_JDBC_USERNAME: sonar
SONAR_JDBC_PASSWORD: sonar
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
ports:
- "9000:9000"
db:
image: postgres:13
environment:
POSTGRES_USER: sonar
POSTGRES_PASSWORD: sonar
POSTGRES_DB: sonar
volumes:
- postgresql:/var/lib/postgresql
- postgresql_data:/var/lib/postgresql/data
项目配置
sonar-project.properties:
# 项目唯一标识
sonar.projectKey=my-project
sonar.projectName=My Project
sonar.projectVersion=1.0
# 源代码目录
sonar.sources=src
sonar.tests=tests
# 排除文件
sonar.exclusions=**/node_modules/**,**/dist/**,**/*.spec.ts
# 代码覆盖率报告
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.python.coverage.reportPaths=coverage.xml
# 语言特定配置
sonar.language=js
sonar.sourceEncoding=UTF-8
使用Scanner:
# 安装
npm install -g sonarqube-scanner
# 扫描
sonar-scanner \
-Dsonar.projectKey=my-project \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.login=your-token
质量门禁(Quality Gate)
默认条件:
- Coverage < 80%
- Duplicated Lines \> 3%
- Maintainability Rating \> A
- Reliability Rating \> A
- Security Rating \> A
- Security Hotspots Reviewed < 100%
自定义门禁:
Quality Gates → Create
设置自己的阈值
CI/CD集成
GitHub Actions:
name: SonarQube
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
sonarqube:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # 完整历史,用于blame
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
- name: SonarQube Quality Gate
uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GitLab CI:
sonarqube-check:
image: sonarsource/sonar-scanner-cli:latest
script:
- sonar-scanner
-Dsonar.projectKey=$CI_PROJECT_NAME
-Dsonar.sources=.
-Dsonar.host.url=$SONAR_HOST_URL
-Dsonar.login=$SONAR_TOKEN
only:
- merge_requests
- main
问题分类
Bug: 代码中的错误 Vulnerability: 安全漏洞 Code Smell: 代码异味 Security Hotspot: 安全热点
严重程度:
- Blocker: 阻断级
- Critical: 严重
- Major: 主要
- Minor: 次要
- Info: 信息
优势
✅ 功能最全面 ✅ 企业级支持 ✅ 质量门禁强大 ✅ 技术债务量化 ✅ 多语言支持
劣势
❌ 部署复杂 ❌ 资源占用大 ❌ 企业版收费
适用场景
- 大中型项目
- 企业级应用
- 需要质量门禁
- 多语言项目
2. CodeQL ⭐⭐⭐⭐⭐
- 官网: https://codeql.github.com/
- GitHub: github/codeql
- 开发: GitHub/Microsoft
- 定价: 开源项目免费
核心特点
- 查询式分析: 将代码视为数据库
- 深度分析: 语义级别分析
- 安全专注: 发现安全漏洞
- GitHub集成: GitHub原生支持
支持语言
C/C++, C#, Go, Java, JavaScript/TypeScript,
Python, Ruby, Swift, Kotlin
使用方式
GitHub Code Scanning(推荐):
# .github/workflows/codeql.yml
name: "CodeQL"
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # 每周一
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
strategy:
fail-fast: false
matrix:
language: ['javascript', 'python']
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: security-extended
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
CLI使用:
# 安装
brew install codeql
# 创建数据库
codeql database create my-db --language=javascript
# 运行查询
codeql database analyze my-db \
codeql/javascript-queries:codeql-suites/javascript-security-extended.qls \
--format=sarif-latest \
--output=results.sarif
# 查看结果
codeql bqrs interpret results.bqrs --format=table
自定义查询
查找SQL注入:
import javascript
from CallExpr call, StringLiteral sql
where
call.getCallee().getName() = "query" and
sql = call.getArgument(0) and
exists(AddExpr concat | concat.getAnOperand() = sql)
select call, "Possible SQL injection"
优势
✅ 深度语义分析 ✅ 安全漏洞检测准确 ✅ GitHub原生集成 ✅ 自定义查询灵活
劣势
❌ 学习曲线陡 ❌ 私有仓库需付费(GitHub) ❌ 分析速度慢
适用场景
- 安全关键应用
- GitHub项目
- 深度安全分析
- 漏洞挖掘
3. Semgrep ⭐⭐⭐⭐⭐
- 官网: https://semgrep.dev/
- GitHub: returntocorp/semgrep (⭐10k+)
- 定价: 开源免费 + 云版
核心特点
- 快速: 比CodeQL快100倍
- 易用: YAML规则,简单直观
- 多语言: 30+语言
- 自定义规则: 轻松编写规则
规则示例
检测硬编码密码:
# rules/hardcoded-password.yml
rules:
- id: hardcoded-password
pattern: password = "..."
message: 硬编码密码,使用环境变量
severity: ERROR
languages: [python, javascript]
检测SQL注入:
rules:
- id: sql-injection
pattern: |
cursor.execute("SELECT * FROM users WHERE id = " + $VAR)
message: SQL注入风险,使用参数化查询
severity: ERROR
languages: [python]
检测未验证的重定向:
rules:
- id: open-redirect
pattern: |
redirect($URL)
message: 未验证的重定向
severity: WARNING
languages: [javascript]
使用
CLI:
# 安装
pip install semgrep
# 或
brew install semgrep
# 扫描
semgrep --config=auto .
# 使用特定规则
semgrep --config=p/owasp-top-10 .
semgrep --config=p/security-audit .
semgrep --config=p/secrets .
# 自定义规则
semgrep --config=rules/ .
CI集成:
# .github/workflows/semgrep.yml
name: Semgrep
on: [push, pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
- run: semgrep ci
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
规则库
官方规则集:
- p/security-audit: 安全审计
- p/owasp-top-10: OWASP Top 10
- p/secrets: 秘钥检测
- p/ci: CI最佳实践
- p/r2c-best-practices: 最佳实践
语言特定:
- p/python
- p/javascript
- p/golang
- p/java
优势
✅ 速度极快 ✅ 规则简单易写 ✅ 免费够用 ✅ 多语言支持 ✅ 误报率低
劣势
❌ 不如CodeQL深度 ❌ 某些复杂模式难以表达
适用场景
- 快速安全扫描
- CI/CD集成
- 自定义规则检查
- 代码审计
🛡️ 安全扫描工具
1. Snyk ⭐⭐⭐⭐⭐
- 官网: https://snyk.io/
- 定价: 免费(开源) + 团队版 $98/月
核心特点
- 依赖扫描: npm, pip, maven, go等
- 容器扫描: Docker镜像
- IaC扫描: Terraform, Kubernetes
- 修复建议: 自动PR修复
功能
依赖扫描:
# 安装
npm install -g snyk
# 或
brew install snyk/tap/snyk
# 认证
snyk auth
# 测试依赖
snyk test
# 监控
snyk monitor
# 修复
snyk fix
容器扫描:
# 扫描Docker镜像
snyk container test node:18
# 输出
✗ High severity vulnerability found in openssl
Description: Use After Free
Info: https://snyk.io/vuln/SNYK-...
Introduced through: openssl@1.1.1
Fixed in: 1.1.1s
Tested 189 dependencies for known issues, found 12 issues.
IaC扫描:
# 扫描Terraform
snyk iac test terraform/
# 扫描Kubernetes
snyk iac test k8s/*.yaml
GitHub集成:
安装Snyk GitHub App
→ 自动PR检查
→ 发现漏洞自动创建PR修复
→ 依赖更新通知
CI/CD集成
# .github/workflows/snyk.yml
name: Snyk Security
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: Upload to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
优势
✅ 覆盖全面(代码+依赖+容器+IaC) ✅ 自动修复 ✅ 开源免费 ✅ GitHub深度集成
劣势
❌ 私有项目有限制 ❌ 某些功能需付费
2. Trivy ⭐⭐⭐⭐⭐
- 官网: https://trivy.dev/
- GitHub: aquasecurity/trivy (⭐22k+)
- 定价: 完全免费开源
核心特点
- 多目标: 容器、文件系统、Git仓库
- 快速: 秒级扫描
- 准确: 误报率低
- 离线: 支持离线扫描
使用
安装:
brew install aquasecurity/trivy/trivy
容器镜像扫描:
# 扫描Docker镜像
trivy image python:3.11
# 输出
python:3.11 (debian 11.6)
============================
Total: 150 (UNKNOWN: 0, LOW: 85, MEDIUM: 45, HIGH: 18, CRITICAL: 2)
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────┤
│ openssl │ CVE-2023-0286 │ CRITICAL │ 1.1.1n │ 1.1.1s │ openssl: X.400 address type │
│ │ │ │ │ │ confusion in X.509 GeneralName │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────┘
# 只显示严重漏洞
trivy image --severity CRITICAL,HIGH python:3.11
# 输出为JSON
trivy image -f json python:3.11 \> result.json
# 生成SBOM
trivy image --format cyclonedx python:3.11 \> sbom.json
文件系统扫描:
# 扫描项目依赖
trivy fs .
# 扫描特定文件
trivy fs package-lock.json
trivy fs Pipfile.lock
trivy fs go.mod
Git仓库扫描:
trivy repo https://github.com/user/repo
IaC扫描:
trivy config .
# 扫描Terraform
trivy config terraform/
# 扫描Kubernetes
trivy config k8s/
CI/CD集成:
# .github/workflows/trivy.yml
name: Trivy
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
优势
✅ 完全免费开源 ✅ 速度快 ✅ 离线支持 ✅ 多目标扫描 ✅ 误报率低
劣势
❌ 功能相对Snyk简单 ❌ 无自动修复
3. OWASP Dependency-Check ⭐⭐⭐⭐
- 官网: https://owasp.org/www-project-dependency-check/
- GitHub: jeremylong/DependencyCheck
核心特点
- 依赖扫描: 检查已知漏洞依赖
- 多语言: Java, .NET, Python, Ruby, Node.js
- CVE数据库: 基于NVD
使用
# 下载
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.0.0/dependency-check-8.0.0-release.zip
# 运行
./bin/dependency-check.sh --scan /path/to/project --format HTML
# Maven插件
mvn org.owasp:dependency-check-maven:check
# Gradle插件
./gradlew dependencyCheckAnalyze
✨ 代码规范工具
1. ESLint ⭐⭐⭐⭐⭐
- 官网: https://eslint.org/
- GitHub: eslint/eslint (⭐25k+)
- 定价: 开源免费
核心特点
- JavaScript标准: 事实标准Linter
- 可配置: 高度可定制
- 自动修复: --fix修复格式
- 插件丰富: React, Vue, TypeScript等
配置
.eslintrc.json:
{
"env": {
"browser": true,
"es2021": true,
"node": true
},
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/recommended",
"plugin:react/recommended",
"plugin:react-hooks/recommended",
"prettier"
],
"parser": "@typescript-eslint/parser",
"parserOptions": {
"ecmaFeatures": {
"jsx": true
},
"ecmaVersion": "latest",
"sourceType": "module"
},
"plugins": [
"react",
"@typescript-eslint"
],
"rules": {
"no-console": "warn",
"no-unused-vars": "error",
"prefer-const": "error",
"react/prop-types": "off",
"@typescript-eslint/explicit-module-boundary-types": "off"
}
}
package.json:
{
"scripts": {
"lint": "eslint src --ext .ts,.tsx",
"lint:fix": "eslint src --ext .ts,.tsx --fix"
},
"devDependencies": {
"eslint": "^8.0.0",
"@typescript-eslint/eslint-plugin": "^6.0.0",
"@typescript-eslint/parser": "^6.0.0",
"eslint-plugin-react": "^7.33.0",
"eslint-plugin-react-hooks": "^4.6.0",
"eslint-config-prettier": "^9.0.0"
}
}
常用插件
# React
npm install -D eslint-plugin-react eslint-plugin-react-hooks
# TypeScript
npm install -D @typescript-eslint/eslint-plugin @typescript-eslint/parser
# Import排序
npm install -D eslint-plugin-import
# 可访问性
npm install -D eslint-plugin-jsx-a11y
# Prettier集成
npm install -D eslint-config-prettier
2. Prettier ⭐⭐⭐⭐⭐
- 官网: https://prettier.io/
- GitHub: prettier/prettier (⭐49k+)
- 定价: 开源免费
核心特点
- 格式化: 自动格式化代码
- 固执己见: 减少配置争论
- 多语言: JS, TS, CSS, HTML, JSON, Markdown等
- 编辑器集成: 保存时格式化
配置
.prettierrc:
{
"semi": true,
"singleQuote": true,
"tabWidth": 2,
"trailingComma": "es5",
"printWidth": 100,
"arrowParens": "avoid"
}
package.json:
{
"scripts": {
"format": "prettier --write \"src/**/*.{js,jsx,ts,tsx,json,css,md}\"",
"format:check": "prettier --check \"src/**/*.{js,jsx,ts,tsx,json,css,md}\""
}
}
VS Code配置:
{
"editor.defaultFormatter": "esbenp.prettier-vscode",
"editor.formatOnSave": true
}
3. Ruff ⭐⭐⭐⭐⭐
- 官网: https://docs.astral.sh/ruff/
- GitHub: astral-sh/ruff (⭐28k+)
- 定价: 开源免费
核心特点
- Rust编写: 比Pylint快100倍
- 替代多工具: Flake8, isort, pyupgrade等
- 自动修复: 大部分规则可自动修复
使用
# 安装
pip install ruff
# 检查
ruff check .
# 修复
ruff check --fix .
# 格式化(替代Black)
ruff format .
pyproject.toml:
[tool.ruff]
line-length = 100
target-version = "py311"
select = [
"E", # pycodestyle errors
"W", # pycodestyle warnings
"F", # pyflakes
"I", # isort
"B", # flake8-bugbear
"C4", # flake8-comprehensions
"UP", # pyupgrade
]
ignore = [
"E501", # line too long
]
[tool.ruff.per-file-ignores]
"__init__.py" = ["F401"]
📊 代码复杂度分析工具
1. SonarQube (已介绍)
技术债务量化:
技术债务 = 修复时间 = (问题数 × 修复时间)
示例:
- 10个Major Bug × 1小时 = 10小时
- 50个Code Smell × 10分钟 = 8.3小时
总技术债务: 18.3小时 = 2.3天
2. Code Climate ⭐⭐⭐⭐
- 官网: https://codeclimate.com/
- 定价: 开源免费 + 团队版 $249/月
核心特点
- 可维护性评分: A-F评级
- 测试覆盖率: 集成覆盖率报告
- 重复代码: 检测代码重复
3. Codebeat ⭐⭐⭐⭐
- 官网: https://codebeat.co/
- 定价: 免费(公开仓库)
核心特点
- 实时分析: GitHub自动分析
- GPA评分: 0-4分评分
- 简单直观: 快速集成
🔐 依赖安全检查
1. npm audit
# 检查漏洞
npm audit
# 自动修复
npm audit fix
# 强制修复(可能breaking)
npm audit fix --force
# 生成报告
npm audit --json \> audit-report.json
2. pip-audit ⭐⭐⭐⭐⭐
# 安装
pip install pip-audit
# 检查
pip-audit
# 指定requirements
pip-audit -r requirements.txt
# 自动修复
pip-audit --fix
3. Dependabot ⭐⭐⭐⭐⭐
- 官网: https://github.com/dependabot
- 开发: GitHub
- 定价: GitHub原生,免费
配置
.github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "my-username"
assignees:
- "my-username"
labels:
- "dependencies"
- "javascript"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
🔑 秘钥扫描工具
1. GitGuardian ⭐⭐⭐⭐⭐
- 官网: https://www.gitguardian.com/
- 定价: 免费(公开仓库) + 团队版
功能
- 实时扫描: 提交时检测
- 历史扫描: 扫描整个Git历史
- 200+秘钥类型: API密钥、证书、密码等
2. TruffleHog ⭐⭐⭐⭐⭐
- GitHub: trufflesecurity/trufflehog (⭐15k+)
- 定价: 开源免费
使用
# 安装
brew install trufflesecurity/trufflehog/trufflehog
# 扫描Git仓库
trufflehog git https://github.com/user/repo
# 扫描本地仓库
trufflehog filesystem /path/to/repo
# 扫描Docker镜像
trufflehog docker --image=myimage:latest
# 只显示验证过的秘钥
trufflehog git https://github.com/user/repo --only-verified
3. detect-secrets ⭐⭐⭐⭐
- GitHub: Yelp/detect-secrets (⭐3.6k+)
# 安装
pip install detect-secrets
# 建立baseline
detect-secrets scan \> .secrets.baseline
# 审计
detect-secrets audit .secrets.baseline
# 扫描新变更
detect-secrets scan --baseline .secrets.baseline
📜 许可证检查工具
1. FOSSA ⭐⭐⭐⭐⭐
- 官网: https://fossa.com/
- 定价: 免费(开源) + 企业版
功能
- 许可证合规: 检查依赖许可证
- 漏洞扫描: 同时扫描安全漏洞
- 策略管理: 自定义许可证策略
2. License Finder ⭐⭐⭐⭐
- GitHub: pivotal/LicenseFinder (⭐1.7k+)
# 安装
gem install license_finder
# 扫描
license_finder
# 审批许可证
license_finder whitelist add MIT
license_finder whitelist add Apache-2.0
# 拒绝
license_finder blacklist add GPL-3.0
🔄 CI/CD集成
GitHub Actions完整示例
name: Code Quality & Security
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18'
- run: npm ci
- run: npm run lint
- run: npm run format:check
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: npm ci
- run: npm test -- --coverage
- name: Upload coverage
uses: codecov/codecov-action@v3
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Snyk
- name: Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Trivy
- name: Trivy FS
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
# Secret scanning
- name: TruffleHog
uses: trufflesecurity/trufflehog@main
with:
path: ./
# CodeQL
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
sonarqube:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
📊 工具对比
静态分析对比
| 工具 | 语言支持 | 深度 | 速度 | 价格 |
|---|---|---|---|---|
| SonarQube | 30+ | ⭐⭐⭐⭐ | ⭐⭐⭐ | 免费+付费 |
| CodeQL | 10+ | ⭐⭐⭐⭐⭐ | ⭐⭐ | 免费(开源) |
| Semgrep | 30+ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | 免费+付费 |
安全扫描对比
| 工具 | 覆盖范围 | 自动修复 | 价格 |
|---|---|---|---|
| Snyk | 代码+依赖+容器+IaC | ✅ | 免费+付费 |
| Trivy | 容器+依赖+IaC | ❌ | 免费 |
| Dependabot | 依赖 | ✅ | 免费 |
🎯 选型建议
小团队/个人
静态分析: Semgrep (免费快速)
代码规范: ESLint + Prettier
依赖安全: Dependabot + npm audit
秘钥扫描: TruffleHog
容器扫描: Trivy
中型团队
静态分析: SonarQube Community
代码规范: ESLint + Prettier + Ruff
安全: Snyk免费版 + Trivy
秘钥: GitGuardian
CI/CD: GitHub Actions完整流程
大型企业
静态分析: SonarQube Enterprise
安全: Snyk企业版 + CodeQL
容器: Trivy + Snyk Container
合规: FOSSA
SAST/DAST: 商业解决方案
按语言
JavaScript/TypeScript:
ESLint + Prettier + Semgrep + Snyk
Python:
Ruff + Semgrep + pip-audit
Java:
SonarQube + SpotBugs + Snyk
Go:
golangci-lint + Semgrep + Trivy
最后更新: 2025年1月 工具数量: 30+ 重点推荐: SonarQube、CodeQL、Semgrep、Snyk、Trivy、ESLint、Prettier、Ruff、Dependabot、TruffleHog