Security analysis with a SAST tool

The first step in security analysis is a Static Application Security Testing (SAST) which is merely a review of the code to highlight segments that might be giving away too much information or might be known vulnerable code patterns. I use HCL AppScan which is an extension with VSCode and this highlights code vulnerabilities after saving the file. So far, none of the code in any of the files has any code which has highlighted vulnerabilities.

In the unit test files, there is no highlighting of security vulnerabilities even though there is clearly the hardcoding of credentials such as test user passwords etc. Which makes me wonder if AppScan excludes unit test files from the security scan. As a check, I chose a random file like models.py and inserted a dummy line with a hardcoded credential. This was immediately highlighted as a security vulnerability with the status ‘High’. However, the manner in which it picked up the vulnerability seems to indicate that it is not very robust. For example:

self.password = '123'

Was highlighted as a vulnerability, but:

self.set_password('123')

Was not highlighted though it should have been. This points to the fact that HCL AppScan may not be a very robust SAST tool for Python-Django code.

Another SAST tool that I have used in the past is semgrep though it was for JavaScript. Running a very basic scan using

semgrep scan --config=auto

Does return a few vulnerabilities though none of them are related to hardcoding the password but rather not validating the password which is also a vulnerability. At the moment, I do not want to implement a password validation as it would mean any password used during testing will fail as most passwords are plain text password that resemble common words. Here, only a basic test is being run and rules are not being finetuned and the test is completely offline. However, the fact that the vulnerabilities are more closely related to Django and web apps makes it more promising that AppScan.