How to use SonarQube 8.2 to scan Docker Images?

SonarQube Server / Community Build
, ,
1

Must-share information (formatted with Markdown):

  • which versions are you using - SonarQube 8.2 Enterprise edition
  • what are you trying to achieve - We are trying to use SonarQube 8.2 to scan docker image in Azure DevOps Service build pipeline.
  • what have you tried so far to achieve this
    SonarQube | What's new

It’s official! We support Docker!

The wait is over! With 8.2, we’re releasing officially supported Docker images for Community, Developer, and Enterprise Editions! Queue the fireworks!

It says 8.2 support scanning docker image, but i can’t find any information online or in SonarQube doc. Can someone please share me the official documentation?

This is side question. Is there any official documentation on how to use SonarQube to scan Angular or .Net Core apps in Azure DevOps build pipeline? The official document only shows steps for .Net, C++. Java application. SonarQube extension for Azure DevOps

Any information would be helpful! :grinning:

Thanks,
Dennis

2

Hi,

In fact, we support running SonarQube and the CLI Scanner on Docker. We don’t actually analyzer Docker images. Sorry for the confusion.

 
:flushed:
Ann

1 Like
3

Hi Ann,

is there any documentation on how to use it to scan docker?

4

we are using Azure DevOps ymal pipeline.

Thanks!
Dennis

5

Hi Dennis,

We don’t analyze Docker files.

 
Ann

6

Thanks Ann!

https://hub.docker.com/_/sonarqube/

is this document to run SonarQube as container? Is it easier to upgrade?

Is this container way better than the regular software install in a VM?

Thanks,
Dennis

7

Hi Dennis,

I don’t have any experience with Docker, so I can’t answer whether it’s easier to upgrade, or whether it’s “better”. My gut says “no” though. Really, it’s just a different package for the same thing…

It might be worth opening a new thread asking that question specifically. (Hopefully this won’t start a flame war. :smile:)

 
Ann

1 Like
8

I also had Dennis’ expectations when “Docker” was announced by SonarSource :slight_smile:
However:
“Scanning Docker images” has two flavours, one should be included in SonarQube in my opinion:

  1. Linting of the ‘Dockerfile’
    This is more or less a syntax check and validation of best practices.
    We are using hadolint for this in our company.
    This is similar to validation of Maven’s pom.xml, which SonarQube already does.
    So @ganncamp, can you put this in the backlog for your Developers :slight_smile:

  2. Vulnerability scanning of images
    An analysis of the components inside an image and detection of vulnerable components. e.g. by comparing them against the NVD.
    I don’t see this in SonarQube, but in specialized tools like “Clair” or Rapid7.

2 Likes