Hello Sir,
I am looking for SAST tool for SQL server code which is open source or free to use.
Kindly let me know if any SAST tool ia available. Thanks
Hello Sir,
I am looking for SAST tool for SQL server code which is open source or free to use.
Kindly let me know if any SAST tool ia available. Thanks
By SAST I assume you mean something like this:
Beyond the utilities listed there, Microsoft offers static database code analysis in Visual Studio and SQL Server Data Tools:
Redgate also has code analysis features:
https://documentation.red-gate.com/codeanalysis/code-analysis-for-sql-server
Their SQLPrompt product has the code analysis feature, it's not free but there's a free trial period.
Neither of them are open source, but you can add custom checking rules.
I'm not aware of any product that strictly does security testing for SQL code, generally that will fall under other best practices such as preventing SQL injection, limiting dynamic SQL, etc. You might want to broaden your search for "sql server static analysis" and possibly find other products, I know there was at least one other static tool for SQL Server but can't find it now, and it's neither free nor open source.
Other security issues in SQL Server typically fall under over-granting permissions to database objects, not securing sensitive data, and overly permissive server access such as insecure passwords, access via insecure networks, etc. Some of these can be audited/evaluated using the Vulnerability Assessment feature in SQL Server Management Studio:
I don't believe it analyzes SQL code though, if it does it's not a comprehensive analysis.
Lastly, Microsoft offers some utilities from their Tiger Team:
There's a best practices (BP) check in there, there's only one security related check though. Some of the other scripts may be useful to you, and they're free and source code is available. The license is not "open" however, in the sense you could modify and/or redistribute it.
Hello Sir,
Yes correct we are looking that kind of tools.
But looking for opensource or free. Thanks
Then Google is your friend, or review the list available on the OWASP page I linked, some of those products had free/open licensing.