Product Overview of Coverity
Coverity, a proprietary static analysis (SAST) solution developed by Synopsys, is designed to help development and security teams identify and address security and quality defects early in the software development life cycle (SDLC). Here’s a detailed look at what Coverity does and its key features.
What Coverity Does
Coverity is a powerful tool that performs static analysis on source code to detect defects and vulnerabilities without executing the code. This approach allows for the identification of issues across the entire codebase, including paths of execution that may not be covered during dynamic testing. Coverity helps in tracking and managing risks across the application portfolio, ensuring compliance with security and coding standards, and accelerating development by integrating seamlessly into existing development workflows and CI/CD pipelines.
Key Features and Functionality
Fast and Accurate Analysis
Coverity provides fast and accurate incremental analysis, which runs in the background to minimize disruption. This allows developers to receive real-time results, including Common Weakness Enumeration (CWE) information, remediation guidance, and relevant security training directly within their Integrated Development Environment (IDE) via the Code Sight™ plugin.
Integration with Development Tools
Coverity integrates well with various development tools and workflows. It supports over 20 programming languages and more than 200 frameworks and templates. Developers can use the Point and Scan desktop application or the command-line interface (CLI) to onboard applications simply by pointing to the source code. This flexibility makes it easy to incorporate into existing development environments.
Real-Time Identification and Remediation
The Code Sight™ IDE plugin enables developers to find and fix security and quality defects as they write code. Each identified issue includes detailed descriptions, categories, severity, CWE data, defect location, and actionable remediation guidance. This real-time feedback helps developers understand and resolve issues quickly without needing to become security experts.
Rapid Scan
Coverity includes a Rapid Scan feature, a fast and lightweight static analysis engine that can scan web and mobile applications, microservices, and infrastructure-as-code (IaC) configurations. Rapid Scan provides immediate analysis feedback, can be deployed as a standalone scan engine, and is integrated into automated build pipelines. It supports multiple analysis output formats (SARIF, JSON, and console) and integrates with GitHub Actions and GitLab CI for pipeline scan automation and issue management.
Automated Security Testing in CI/CD Pipelines
Coverity seamlessly integrates automated security testing into CI/CD pipelines, allowing full application scans to identify security or quality issues that haven’t yet been resolved. It can break the build if policy violations exist, ensuring that only secure and high-quality code is deployed.
Scalability and Deployment Flexibility
Coverity is highly scalable and can handle large applications with thousands of developers and tens of millions of lines of code. It can be deployed on-premises or in the cloud using the Polaris Software Integrity Platform (SaaS), a highly scalable, cloud-based application security platform.
Compliance and Customization
Coverity ensures compliance with industry safety standards such as ISO 26262 and DO-330 through the Coverity Qualification Kit (Q-Kit). Additionally, custom checkers can be created to add support for proprietary frameworks or unsupported languages, enhancing its extensibility.
Support for Open Source Projects
For open source projects, Coverity Scan is a free service provided by Synopsys, which allows registered projects to submit their code for analysis. This service helps open source developers identify and fix software defects and vulnerabilities, contributing to the overall security and quality of open source software.
In summary, Coverity is a robust static analysis solution that empowers developers and security teams to deliver secure, high-quality applications by identifying and addressing defects early in the development process, integrating seamlessly into existing workflows, and providing actionable remediation guidance.