Technical Discovery: replace nodejs-scan with semgrep analyzer
Proposal
nodejs-scan uses libsast for sast and libsast uses semgrep. Can we use our semgrep analyzer to execute the same SAST checks that nodejs-scan covers?
Note: Verify licensing of upstream project.
Questions:
-
How are the nodejs-scan rules defined? -
Can nodejs-scan run njsscan with --missing-controls
?
-
-
Will the rules run in semgrep? -
Are we allowed to use them as per the license?
Edited by Craig Smith