Nice writeup! Tools like Semgrep and Bellybutton[1] have been invaluable to QA and API enforcement on some of my large research projects.

Clint (mentioned in the post) recently gave an in-depth talk at Empire Hacking on using Semgrep[2]. The talk covers some of the material in this post, as well as use on non-configuration languages.

[1]: https://github.com/hchasestevens/bellybutton

[2]: https://www.youtube.com/watch?v=O5mh8j7-An8

We've been using Sentinel by Hashicorp with great success for this. The language is a little awkward at times, but it has deep integration with Terraform - our policy rules have access to the entire terraform state, the details of the plan/apply, etc. It lets us write very granular rules, even rules correlating different resources which would be difficult with a semgrep approach (for instance we have a rule that you can't create a route53 hosted zone without also enabling logging for the zone. The logging is a separate resource, not an attribute of the hosted zone resource).

As a terraform SAST tool, this has competition with tfsec, tflint, and checkov. I do like how it also checks the kubernetes yaml.

I'd like if these types of articles would mention the competitors to show what additional value that the one they pitch brings to the table.

What are your thoughts on the overlap between these tools? I have a CI SaaS with checkov by default. It performs really well and requires no configuration, which was exciting. Tfsec would be easy to add but I'm not sure how duplicative it is of checkov. Anyone here have opinions?

It's so neat to see semgrep branching out to support more languages including IaaS. At [muse](https://github.com/marketplace/muse-dev) we went a different path of making a platform to run multiple tools. By default the tools include semgrep and, regarding the IaaS space, checkov.