https://falcao.org/tags/sast/Recent content in Sast on Danilo Falcão da SilvaHugoen-usFri, 22 May 2026 10:00:00 -0300https://falcao.org/posts/open-source-sast-dast-sca-2026/Fri, 22 May 2026 10:00:00 -0300https://falcao.org/posts/open-source-sast-dast-sca-2026/<p>I don&rsquo;t pay for Snyk. Not because it&rsquo;s bad — it&rsquo;s a genuinely good product — but because there is a free stack that catches the vast majority of the same issues directly in CI, and the remaining gap hasn&rsquo;t been worth roughly <strong>$600 per developer per year</strong> to close. On a team of fifteen engineers, that&rsquo;s the price of a small EC2 fleet you actually need.</p> <p>This post is about the open-source security tooling I actually wire into pipelines: <strong>Trivy</strong> for containers, dependencies and IaC, <strong>Semgrep</strong> for application code, <strong>Nuclei</strong> and <strong>OWASP ZAP</strong> for the live app, and a few honourable mentions. It&rsquo;s not an exhaustive catalogue. It&rsquo;s the stack I keep coming back to.</p>