'Documentation is a love letter that you write to your future self.' - Damian Conway

2 minute read - Research

Comparing some SAST and DAST solutions.

Github Link

This is something I created to explain my experience with these tools personally and professionally. These are my personal opinions. If I don't like your product I can change my mind with a six figure bribe, lol.


Burp Standard
  • Everyone is familiar with it
  • Customizable, many extensions
  • Lots of 3rd party materials
  • Reasonable price
  • Mostly great for manual scans
  • Not that great in the CI/CD pipeline
  • FOSS
  • Many community templates for CVEs
  • Easy to use, fire and forget
  • Easy to write templates
  • Template logic is simple
  • Supports steps but needs manual config
  • Mostly used for unauthenticated scans
  • FOSS
  • Industry standard
  • Many tutorials
  • Auth config is hard
  • Had to write custom code for integration
  • Funding issues

DAST Notes

  1. Burp has an enterprise version that is supposedly better for pipelines. I have never used it. It's a solid tool, regardless.


Keep in mind that I am a Semgrep junkie! I don't work for them.

  • Integrated with GitHub
  • Powerful Analysis
  • Can reuse the database for further analysis
  • Needs buildable code
  • Licensing :(
  • Rules are complex and not for devs
  • GitHub is a 1st class citizen for support and features
  • FOSS scanner
  • Lots of free rules
  • Easy rule syntax (good for devs)
  • Integration with many CI/CD platforms
  • Secret Scanning + validation
  • Supply chain + reachability analysis
  • Free rules are just OK
  • Need custom rules to be effective
  • Supply chain + secret scanning is paid
  • No inter-file analysis in free version

SAST Notes

  1. CodeQL needs you to pay for GitHub advanced security (for private repos) which also has support for supply chain (Dependabot) and secret scanning + validation. I am not sure if CodeQL is used for those, but you get everything as a bundle when you pay for it.
  2. I've not used the Semgrep supply chain and reachability analysis.