Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But these are two very different things. Sonarqube is SAST (static analysis, reads the code you wrote) and SCA (composition analysis, reads the dependencies you declare). Wiz is just SCA.

Sonarqube fps come largely from untuned SAST configurations flagging all manner of suspected CWEs (code weaknesses).



Correct. I don’t want either.


So what exactly are you doing with wiz then?


Pay for it, employ monkeys to stare at it, raise lots of JIRA tickets and generally live in a state of misery.


Sounds terrible. Doesn't have to be that way though. If it's not actionable and relevant, nobody should see it. If you really adopt this approach, the tool choice doesn't really matter except for the varying complexity of filtering to ensure only the good stuff gets bubbled up.


Some of our engineers talk about SonarCube this, dependabot that, Snyk this so much I am suspicious any actual work is done. Shackles made of red tape. Standstill is velocity. Freedom is slavery?


Yeah that. It seemed like a good idea but now we're enslaved by it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: