Potential Solutions

semgrep doesn't support Dart as of now, though a January 2023 update added experimental Dart support

Codecov - Free version - claims Dart support, but the application needs to be installed for the organization, I don't think there's a way to run locally 🤔

osv-scanner - Free - Uses https://osv.dev/ as database of vulnerability and scans pub packages; though not in their docs, they do support SARIF outputs

SonarSource - Paid - no Dart support / SonarQube has a community edition - doesn't list Dart, but will try to follow this guide and see what it can do. [Edit: 8/31: No SARIF output]

Solutions Passed On

^{Due to no support or paid}

Veracode - Paid - They do support Dart & Flutter

Checkmarx - Paid - Does support Dart

Synopsis has Coverity, which is a Paid service. Don't think they support Dart.

Snyk - Free version - no Dart support

ContrastSecurity - Free version? - no Dart support

Mend.io - Paid - no Dart support

Sonatype.com - No support

Gitlab.com - No support

Acunetix.com - No support

@cbhernan , based off of what you mentioned, osv-scanner could work to mark the requirement for SCA (Software Composition Analysis). Has their docs simply not been updated yet? I searched briefly into their GitHub issues for any DART support and no luck.

Noting @RV-LACity since the repository will be open source, I don't see a reason why we can't use CodeCov free SaaS offering if I understood correctly. It should not be a problem to install the app into our GitHub organization but we will need to figure out how we would manage it. @cbhernan if you think that Codecov will offer the best scanning capabilities out of any other solution we can look into it. Tangent, but there is a way to self-host codecov, there is a docker-compose.yml file they provide but we would just go with the free SaaS offering if it boils down to this.

Regarding Semgrep, it's experimental but we should explore it to help satisfy our requirement of having at least two SAST tools.

@RV-LACity and I reviewed with @cbhernan about the SASTS tooling listed as well as GitHub CodeQL and Trivy. Unfortunately, we are unable to find a tool that supports static application security scans for DART codebases. Semgrep says it is experimental but it is not in production. Codecov focuses on code coverage reporting but it seems like their is a product available for SAST. We are pretty sure that is a paid product.

@cbhernan will look into testing Semgrep with the DART experimental ruleset for DART. If it is not available or valuable for us @RV-LACity and I agreed that we will put adding SAS for DART on hold until a supported and easily accessible tool gets released.

@cbhernan separate from this scope but we agree that SCA should still be done for DART packages.

@CityOfLosAngeles/ita-devsecops-team I found this potential SAST tool for DART - https://docs.horusec.io/docs/cli/analysis-tools/overview, would appreciate your thoughts!

@CityOfLosAngeles/ita-devsecops-team I found this potential SAST tool for DART - https://docs.horusec.io/docs/cli/analysis-tools/overview, would appreciate your thoughts!

@cbhernan , let's try an implement this tool within GitHub Actions, https://docs.horusec.io/docs/cli/installation/#github-actions.

Closing this as we have OSV-Scanner checking our Pub packages for security issues and Dependabot and Semgrep for our Node code. Both contribute a SARIF file. Horusec is lower priority and nice to have since its capability seems limited.