SAST Support for Kotlin (General, not Android)

Problem to solve

Request from customer to add a SAST Vulnerability Scanner for Kotlin

Intended users

Members of the Security Team and Developers would get first hand information into vulnerable code created using Kotlin.

• Sasha (Software Developer)
• Sam (Security Analyst)

Further details

This would continue to allow for the "Shift Left" mentality that we are instilling in teams coding in other languages.

Proposal

Perhaps by using an existing analyzer, but it appears that Spotbugs does not yet have support for Kotlin..

https://github.com/spotbugs/spotbugs/issues/573

Permissions and Security

The permissions would be the same as those for existing SAST scans.

What does success look like, and how can we measure that?

Users developing in Kotlin would have vulnerability scan results presented in the same way that existing scan tools do. E.g. directly in the Merge Request screen.

What is the type of buyer?

Users looking to take advantage of our SAST capabilities.

Links / references