Check for FIPS 140-2 compliance using SonarQube

Hi ,

Can SonarQube be used to scan source code to check for FIPS 140-2 compliance?

FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies in US. We are trying to specify if our software components are FIPS compliant or not.

Hi @kirann

welcome to the community!

Recently, we have greatly improved SonarQube cryptography rules for the Java language, see for example this product announcement. Some of these rules are based on FIPS or other NIST recommendations, for example the rule S4426 is based on the NIST special publication 800-131a which is pretty aligned with FIPS (or even stricter).

Depending on the development language of your software components, SonarQube can currently be a great help in achieving FIPS compliance but we cannot say that SonarQube covers all the checks required for FIPS compliance and for all the languages and even if we will continue to improve our cryptography rules over time, this could never be the case because FIPS is not limited to software, but requires for example the implementation of certain protections against physical attacks, like tampering detection, on cryptographic modules and a SAST product cannot offer the complete solution for this.

Eric