Semgrep and SonarQube
Semgrep is the standard cross-language SAST tool for Python, JavaScript, TypeScript, YAML, Dockerfiles, and supported configuration. Rules focus on unsafe APIs, injection, authorization mistakes, insecure deserialization, and Nexa-specific patterns.
SonarQube aggregates maintainability, duplication, bug patterns, and unit coverage. Community Edition is acceptable for the initial baseline. Developer or higher editions may be evaluated later for branch and PR analysis, but CI must not depend on a future commercial purchase.
Findings are triaged by code owners. Suppressions are narrow, explained, and time-bound. During migration, Bandit may run in comparison mode for Python, then retire after coverage is validated.