I sent you some suggestions before, which inspired me to create this OWASP page: https://www.owasp.org/index.php/Free_for_Open_Source_Application_Security_Tools
Let me know what you think. Useful? Any suggested changes/additions? I know you are using Spot Bugs with the FindSecBugs plugin. Maybe you can start using one of the Open Source Component Vulnerability Checking tools? I know you didn't want to use Snyk because it wanted write access to your github repo to create pull requests. However, you can instead use their Command Line Interface, which doesn't require write access AND the results are kept private to you, which is ALSO important :-) I'd love for your team to give that a whirl and see if it works. Let me know if you try to use any of these other tools and how well they do/do not work for you. Happy to help if your team needs any. I've never shown this to anyone else by the way. Your team is the first :-) Thanks, Dave
