We are currently working on the evaluation of LGTM / GitHub Advanced Security for our company. Does anybody in the community already have experience with this tool and would be interested in sharing their experiences? Especially we’d be interested in hearing about the quality of the results that LGTM delivers. Does it find potential vulnerabilities?
Thank you very much and best regards
We’ve been fairly happy with LGTM for the Zaproxy project. It runs on all PRs. Feel free to look around and see how things seem:
Thanks for your feedback @kingthorin! In your profile I saw that you are also OWASP WSTG co-lead. How do you see LGTM regarding the vulnerability detection compared with for example checkmarx?
I don’t have any experience with Checkmarx.
I understand. In the zapproxy project i saw that the alerts from LGTM were not security alerts (more code smells). Would you say that LGTM increases the security of your projects to a level which are you seeking for?
Ya I’d say so.
We do also use SonarCloud (SonarScan), which does specifically categorize some SAST results as vulnerabilities.
Note LGTM does have a tag for Security related findings, there just doesn’t currently seem to be any for the ZAP projects