Security Analysis Capabilities
Teamscale provides comprehensive security analysis capabilities to help you identify and address vulnerabilities in your codebase, including support for static appplication security testing (SAST) methodology. Its security analysis capabilities include:
- Static Code Analysis: Detects common security issues such as SQL injection, cross-site scripting (XSS), and insecure API usage. This detection mechanism is based on static analysis and it corresponds to static application security testing (SAST).
- Industry Standards: Integrates with industry-recognized security standards such as the OWASP Top 10 and CWE Top 25.
- Integration: Works seamlessly with CI/CD pipelines and other development tools to ensure security checks are part of your workflow.
Which Programming Languages Are Supported
Teamscale provides almost 1000 security-related checks that can be enabled and configured as needed for your projects. In particular, Teamscale supports SAST for a wide range of programming languages by integrating with popular SAST tools. The following list shows the supported languages and the corresponding analyzers that can be used for SAST:
- ABAP: Abaplint, Code Inspector
- C: Clang-Tidy, Cppcheck, Gitlab SAST/Semgrep
- C#: Gitlab SAST/Semgrep, Security Code Scan, SonarLint
- C++: Clang-Tidy, Cppcheck, Gitlab SAST/Semgrep
- Dart: Dart Lint
- Go: Gitlab SAST/Semgrep, Golanci-lint
- Java: Gitlab SAST/Semgrep, SonarLint
- JavaScript: ESLint, Gitlab SAST/Semgrep, SonarLint
- Kotlin: Gitlab SAST/Semgrep, SonarLint
- PHP: SonarLint
- PowerShell: PowerShell Script Analyzer
- Python: Bandit, Gitlab SAST/Semgrep
- Objective-C: Gitlab SAST/Semgrep
- Swift: Gitlab SAST/Semgrep
- TypeScript: ESLint, Gitlab SAST/Semgrep, SonarLint
This broad support allows Teamscale to help you identify security issues across diverse technology stacks and codebases. In addition, Teamscale has its own set of security checks, each analyzing one or even all programming languages that Teamscale supports.
The Cppcheck Premium integration (licensed separately) offers additional security checks for C and C++. For more detailed information about Cppcheck and its capabilities, you can reer to this resource available in the Teamscale documentation: Static Analysis: Integrated Tools with v2025.1.
How To Enable SAST
When creating a project in Teamscale with a default analysis profile, the SAST checks are typically enabled automatically. This ensures that your code is analyzed for common security vulnerabilities right from the start, without requiring additional configuration.
Going further than the default analysis profiles, Teamscale provides customizable options that allow teams to tailor their security checks based on specific project needs and analysis performance requirements.
The following table shows the number of security-relevant checks enabled by default analysis profiles for three of the widespread programming languages:
Language | Tools | Security Checks Enabled by Default |
---|---|---|
ABAP | Code Inspector, Teamscale | 96 |
C# | Security Code Scan, SonarLint, Teamscale | 74 |
Java | SonarLint, Teamscale | 17 |
JavaScript/TypeScript | SonarLint, Teamscale | 29 |
Python | Bandit, Teamscale | 32 |
The numbers above are based on Teamscale version 2025.2. With new versions, more security checks are typically added and made available by default. Some tools are disabled by default, e.g., Cppcheck or Gitlab SAST/Semgrep, however they can easily be configured by using Teamscale's analysis profile editor starting with a default analysis profile.
Coverage of Industry-recognized Security Standards
Teamscale integrates with industry-recognized security standards to help you address the most critical security risks in your codebase. Teamscale provides strong coverage of the OWASP Top 10:2021, with checks for 10 out of the 10 categories for Java and JavaScript/Typescript, and 8 out of 10 categories for C#.
In addition, Teamscale includes checks for more than 10 of the weaknesses listed in the CWE Top 25, ensuring that your code is analyzed for many of the most dangerous and widespread software vulnerabilities.
Furthermore, Teamscale integrates with security standards specific to programming languages, such as AUTOSAR, C++ Core Guidelines, CERT-C++, and MISRA, enhancing its ability to address language-specific security concerns.