https://www.youngju.dev/blog 천천히 올바르게. AI Researcher & DevOps Engineer Youngju's tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering. ko fjvbn2003@gmail.com (Youngju Kim) fjvbn2003@gmail.com (Youngju Kim) Fri, 15 May 2026 00:00:00 GMT https://www.youngju.dev/blog/culture/2026-05-15-static-analysis-sast-2026-semgrep-codeql-snyk-sonarqube-aikido-trivy-deep-dive.en https://www.youngju.dev/blog/culture/2026-05-15-static-analysis-sast-2026-semgrep-codeql-snyk-sonarqube-aikido-trivy-deep-dive.en Mapping the 2026 code security tooling landscape — Semgrep (the de facto OSS SAST plus Pro engine and Supply Chain), CodeQL (the heart of GitHub Advanced Security, dataflow king), Snyk Code (SAST+SCA after the DeepCode AI integration), SonarQube 11 (how the classic stays alive), Aikido Security (the all-in-one newcomer with AI Autofix), Cycode and GitGuardian (supply chain + secrets), Trivy/Aqua (containers + dependencies), Checkmarx and Veracode (enterprise stalwarts), OWASP ZAP, Bearer, Endor Labs, Socket.dev. SBOM (SPDX/CycloneDX) maturing, reachability analysis, LLM autofix, EU CRA 2024, and the Korea/Japan landscape with KaibAi and FFRI. Fri, 15 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) securitysaststatic-analysissemgrepcodeqlsnyksonarqubeaikidocycodegitguardiantrivycheckmarxsbomdevsecops2026deep-diveenglish https://www.youngju.dev/blog/culture/2026-05-15-static-analysis-sast-2026-semgrep-codeql-snyk-sonarqube-aikido-trivy-deep-dive.ja https://www.youngju.dev/blog/culture/2026-05-15-static-analysis-sast-2026-semgrep-codeql-snyk-sonarqube-aikido-trivy-deep-dive.ja 2026年のコードセキュリティツール地図を描く — Semgrep(オープンソース SAST のデファクト + Pro engine と Supply Chain)、CodeQL(GitHub Advanced Security の中核、dataflow の王者)、Snyk Code(DeepCode AI 統合後の SAST+SCA)、SonarQube 11(クラシックの生存戦略)、Aikido Security(オールインワン新興 + AI Autofix)、Cycode と GitGuardian(サプライチェーン + シークレット)、Trivy/Aqua(コンテナ + 依存)、Checkmarx と Veracode(エンタープライズ陣営)、OWASP ZAP、Bearer、Endor Labs、Socket.dev。SBOM(SPDX/CycloneDX)成熟、reachability analysis、LLM autofix、EU CRA 2024、そして KaibAi と FFRI など韓国・日本市場まで。 Fri, 15 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) securitysaststatic-analysissemgrepcodeqlsnyksonarqubeaikidocycodegitguardiantrivycheckmarxsbomdevsecops2026deep-dive日本語 https://www.youngju.dev/blog/culture/2026-05-15-static-analysis-sast-2026-semgrep-codeql-snyk-sonarqube-aikido-trivy-deep-dive https://www.youngju.dev/blog/culture/2026-05-15-static-analysis-sast-2026-semgrep-codeql-snyk-sonarqube-aikido-trivy-deep-dive 2026년 코드 보안 도구 지도를 그린다 — Semgrep(오픈소스 SAST의 표준 + Pro engine과 Supply Chain), CodeQL(GitHub Advanced Security의 핵심, dataflow 강자), Snyk Code(DeepCode AI 통합 이후의 SAST+SCA), SonarQube 11(클래식이 살아남는 법), Aikido Security(올인원 신예 + AI Autofix), Cycode·GitGuardian(공급망 + 시크릿), Trivy/Aqua(컨테이너 + 디펜던시), Checkmarx·Veracode(엔터프라이즈 진영), OWASP ZAP·Bearer·Endor Labs·Socket.dev. SBOM(SPDX/CycloneDX) 표준화, reachability analysis, LLM autofix, EU CRA 2024, 그리고 KaibAi·FFRI까지. Fri, 15 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) securitysaststatic-analysissemgrepcodeqlsnyksonarqubeaikidocycodegitguardiantrivycheckmarxsbomdevsecops2026deep-dive https://www.youngju.dev/blog/culture/2026-05-16-code-quality-static-analysis-2026-sonarqube-codeclimate-codacy-deepsource-qodo-cover-snyk-code-semgrep-eslint-deep-dive.en https://www.youngju.dev/blog/culture/2026-05-16-code-quality-static-analysis-2026-sonarqube-codeclimate-codacy-deepsource-qodo-cover-snyk-code-semgrep-eslint-deep-dive.en A May 2026 deep dive across the code quality and SAST ecosystem. Covers platforms (SonarQube 10.x, SonarCloud, CodeClimate, Codacy, DeepSource, Qodana, Qodo Cover), SAST engines (Semgrep 1.x, CodeQL, Snyk Code, Veracode, Checkmarx), per-language linters (ESLint 9 flat config, Biome, Oxlint, Ruff, golangci-lint, clippy), AI code review (Copilot Code Review, Greptile, CodeRabbit, Cursor Bugbot), and adoption stories from NAVER, Coupang, Toss, Mercari, LINE Yahoo. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) code-qualitystatic-analysissonarqubecodeclimatecodacydeepsourceqodosnyk-codesemgrepeslintsast2026deep-diveenglish https://www.youngju.dev/blog/culture/2026-05-16-code-quality-static-analysis-2026-sonarqube-codeclimate-codacy-deepsource-qodo-cover-snyk-code-semgrep-eslint-deep-dive.ja https://www.youngju.dev/blog/culture/2026-05-16-code-quality-static-analysis-2026-sonarqube-codeclimate-codacy-deepsource-qodo-cover-snyk-code-semgrep-eslint-deep-dive.ja 2026年5月時点のコード品質・静的解析(SAST)エコシステムを一気に整理します。SonarQube 10.x・SonarCloud・CodeClimate・Codacy・DeepSource・Qodana・Qodo Cover といったプラットフォーム、Semgrep 1.x・CodeQL・Snyk Code・Veracode・Checkmarx といった SAST エンジン、ESLint 9 flat config・Biome・Oxlint・Ruff・golangci-lint・clippy といった言語別リンター、AI コードレビュー(Copilot Code Review・Greptile・CodeRabbit・Cursor Bugbot)、そして NAVER・Coupang・Toss・Mercari・LINE ヤフーの事例まで網羅します。 Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) code-qualitystatic-analysissonarqubecodeclimatecodacydeepsourceqodosnyk-codesemgrepeslintsast2026deep-dive日本語 https://www.youngju.dev/blog/culture/2026-05-16-code-quality-static-analysis-2026-sonarqube-codeclimate-codacy-deepsource-qodo-cover-snyk-code-semgrep-eslint-deep-dive https://www.youngju.dev/blog/culture/2026-05-16-code-quality-static-analysis-2026-sonarqube-codeclimate-codacy-deepsource-qodo-cover-snyk-code-semgrep-eslint-deep-dive 2026년 5월 기준 코드 품질·정적 분석(SAST) 생태계를 한 글로 정리합니다. SonarQube 10.x·SonarCloud·CodeClimate·Codacy·DeepSource·Qodana·Qodo Cover 같은 플랫폼, Semgrep 1.x·CodeQL·Snyk Code·Veracode·Checkmarx 같은 SAST 엔진, ESLint 9 flat config·Biome·Oxlint·Ruff·golangci-lint·clippy 같은 언어별 린터, AI 코드 리뷰(Copilot Code Review·Greptile·CodeRabbit·Cursor Bugbot), 그리고 NAVER·Coupang·Toss·Mercari·LINE Yahoo 사례까지 담았습니다. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) code-qualitystatic-analysissonarqubecodeclimatecodacydeepsourceqodosnyk-codesemgrepeslintsast2026deep-dive