Is your feature request related to a problem? Please describe.
I would like to start a discussion to add more options for SAST tools. As of now, 3 tools are checked in the SAST check - CodeQL, LGTM, Sonar. As per this issue, LGTM is going away.

Here are some of the things to consider:

1. Language specific tools - as an example, GoSec, and Bandit are well known tools for Go and Python respectively.
2. Pricing - if one runs Scorecard in private repo, they might want to pass the SAST check while using free/ open source SAST tools.
3. Specialized purpose - as an example, there are tools that specialize in scanning for secrets. This is an important check which is missing in scorecard today. Also, CIS benchmark for supply chain security, has following additional categories:
   • Scanner for CI pipelines - I think Scorecard already has checks for GitHub Actions.
   • Scanner for IaC - not sure if this is in-scope for Scorecard
   • Scanner for vulnerabilities in open source packages being used, e.g. Dependency Review Action.
   • Scanner for open source license issues

Describe the solution you'd like
Would like to have a discussion to come to consensus on what additional SAST tools to add in Scorecard check. Based on the decision, those tools can then be added in the SAST check.