Static analysis tools come in many forms andconfigurations, allowing them to handle various tasks in a (secure) development process: code style linting, bug/vulnerability detection, verification, etc., and adapt to the specific requirements of a software project, thus reducing the number of false positives.The wide range of configuration options poses a hurdle in their use for software developers, as the tools cannot be deployed out-of-the-box. However, static analysis tools only develop their full benefit if they are integrated into the software development workflow and used on regular. Vulnerability management should be integrated via version history to identify hotspots, for example. We present an analysis platform that integrates several static analysis tools that enable Git-based repositories to continuously monitor warnings across their version history. The framework is easily extensible with other tools and programming languages. We provide a visualization component in the form of a dashboard to display security trends and hotspots. Our tool can also be used to create a database of security alerts at a scale well-suited for machine learning applications such as bug or vulnerability detection.

翻译：静态分析工具有多种形式和配置，使其能够处理（安全）开发流程中的各类任务：代码风格检查、错误/漏洞检测、验证等，并可针对软件项目的具体需求进行适配，从而减少误报数量。然而，广泛的配置选项给软件开发人员的使用带来了障碍，因为这些工具无法开箱即用。但只有将静态分析工具集成到软件开发工作流中并定期使用，才能充分发挥其效益。例如，应通过版本历史集成漏洞管理以识别热点区域。我们提出一个集成了多种静态分析工具的分析平台，该平台支持基于Git的仓库在版本历史中持续监控警告信息。该框架可轻松扩展其他工具和编程语言。我们提供可视化组件（仪表盘形式），用于展示安全趋势和热点区域。我们的工具还可用于构建大规模安全警报数据库，这类数据库非常适用于机器学习应用，例如漏洞或缺陷检测。