GrammaTech CodeSonar extends DevSecOps to embedded software development

GrammaTech announced the latest version of SAST platform CodeSonar, which automates the detection of coding defects to accelerate the implementation of DevSecOps methodologies in embedded software development pipelines.

GrammaTech CodeSonar now supports all leading development languages (C, C++, C# and Java) in one unified platform and integrates with GitHub Actions to provide native static application security testing (SAST) capabilities for embedded code. The new version also includes built-in industry specific reports for security (CERT, OWASP) and safety (AUTOSAR, MISRA and more.)

Embedded software supports critical functions in industrial, automotive, aerospace, military and defense systems where failure is not an option. Ensuring the quality, security and safety of these systems begins with software development. CodeSonar provides transparent SAST capabilities that integrate with existing CI/CD pipelines, such as GitLab, Jenkins and GitHub, to automate the detection and remediation of coding defects throughout the software development lifecycle.

Iris ID, a leading developer and driver of the commercialization and adoption of iris technology, is using CodeSonar to support DevSecOps for a global team of developers to continuously ensure security and improve quality. “With CodeSonar, our developers can look at the code together, discuss the issues and understand why they were found so they can be quickly fixed,” said Jun Hong, Chief Technology Officer for Iris ID. “It has enabled us to make secure coding fundamental to the delivery of our products.”

In addition to existing integrations with Jenkins and GitLab, CodeSonar now integrates with GitHub Actions to provide developers a seamless DevSecOps experience. CodeSonar delivers SAST results directly into the GitHub code scanning UI, enabling development teams to shift left without disruption to their software development life cycle.

CodeSonar integration with GitHub Actions provides the developer community with additional options for adding SAST analysis directly into development workflows and pipelines. By specializing in SAST for embedded software development, CodeSonar enables developers using GitHub to focus on industry specific coding standards where security and functional safety are essential.

The new version of CodeSonar provides the following capabilities and benefits:

• Industry leading language support in a single platform for C, C++, C# and Java that eliminates the need for multiple tools and provides a familiar user experience for all CI/CD pipelines
• Support for security standards maps CERT rules and OWASP rules for C#, C/C++ and Java to CodeSonar warning classes to automate the detection of common coding errors
• Built-in, industry-specific reports identify safety defects for automotive, aviation, government and other sectors and include AUTOSAR C++
• Build-Security-In (BSI), Jet Propulsion Lab (JPL), MISRA C/C++, and NASA Power of 10
• Support for the ODBC library automates the detection of resource leaks, null pointer dereference, unreachable code, etc.
• Variable naming checker for C++ enforces coding style standards to improve code readability and reduce errors

“Embedded application development teams in the same organization often use different languages depending on the product they are working on, and in most industries must comply with specific safety and security standards,” said Vince Arneja, Chief Product Officer for GrammaTech. “CodeSonar now provides comprehensive language support as well as standards compliance tools in one unified platform that is both automated and transparent for end users. With integrations to CI/CD solutions like GitHub Actions, we make it easy for development teams to accelerate the adoption of DevSecOps.”