This is something I created to explain my experience with these tools personally
and professionally. These are my personal opinions. If I don't like your product
I can change my mind with a six figure bribe, lol.
DAST
Name
Pros
Cons
Burp Standard
Everyone is familiar with it
Customizable, many extensions
Lots of 3rd party materials
Reasonable price
Mostly great for manual scans
Not that great in the CI/CD pipeline
Nuclei
FOSS
Many community templates for CVEs
Easy to use, fire and forget
Easy to write templates
Template logic is simple
Supports steps but needs manual config
Mostly used for unauthenticated scans
ZAP
FOSS
Industry standard
Many tutorials
Auth config is hard
Had to write custom code for integration
Funding issues
DAST Notes
Burp has an enterprise version that is supposedly better for pipelines. I have never used it. It's a solid tool, regardless.
SAST
Keep in mind that I am a Semgrep junkie! I don't work for them.
Name
Pros
Cons
CodeQL
Integrated with GitHub
Powerful Analysis
Can reuse the database for further analysis
Needs buildable code
Licensing :(
Rules are complex and not for devs
GitHub is a 1st class citizen for support and features
Semgrep
FOSS scanner
Lots of free rules
Easy rule syntax (good for devs)
Integration with many CI/CD platforms
Secret Scanning + validation
Supply chain + reachability analysis
Free rules are just OK
Need custom rules to be effective
Supply chain + secret scanning is paid
No inter-file analysis in free version
SAST Notes
CodeQL needs you to pay for GitHub advanced security (for private repos)
which also has support for supply chain (Dependabot) and secret scanning +
validation. I am not sure if CodeQL is used for those, but you get everything
as a bundle when you pay for it.
I've not used the Semgrep supply chain and reachability analysis.