Company wide SAST
At Yandex, the developers have a wide range of VCS and CI/CD systems, and the security team has more than a dozen tools. For static analysis, we have commercial, open source, and proprietary tools. But without a single entry point, the tools would have poor coverage, high false-positive rate, and low bus factor.
To solve these problems, we developed the imPulse orchestrator meant to unify analyzers’ startup processes, handle reports, and triage operations.
imPulse supports the traditional scenario of scheduled scans as well as security audits by request inside CI/CD systems. A single interface to work with static analysis tools allows us to find related problems and vulnerabilities specific to Yandex in the entire code base. To do this, we use analyzers like Semgrep and CodeQL. In this presentation, we will tell you about the problems we face and where we get ideas for custom rules.