How to use SonarQube 8.2 to scan Docker Images?

Must-share information (formatted with Markdown):

It’s official! We support Docker!

The wait is over! With 8.2, we’re releasing officially supported Docker images for Community, Developer, and Enterprise Editions! Queue the fireworks!

It says 8.2 support scanning docker image, but i can’t find any information online or in SonarQube doc. Can someone please share me the official documentation?

This is side question. Is there any official documentation on how to use SonarQube to scan Angular or .Net Core apps in Azure DevOps build pipeline? The official document only shows steps for .Net, C++. Java application. https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-azure-devops/

Any information would be helpful! :grinning:

Thanks,
Dennis

Hi,

In fact, we support running SonarQube and the CLI Scanner on Docker. We don’t actually analyzer Docker images. Sorry for the confusion.

 
:flushed:
Ann

1 Like

Hi Ann,

is there any documentation on how to use it to scan docker?

we are using Azure DevOps ymal pipeline.

Thanks!
Dennis

Hi Dennis,

We don’t analyze Docker files.

 
Ann

Thanks Ann!

https://hub.docker.com/_/sonarqube/

is this document to run SonarQube as container? Is it easier to upgrade?

Is this container way better than the regular software install in a VM?

Thanks,
Dennis

Hi Dennis,

I don’t have any experience with Docker, so I can’t answer whether it’s easier to upgrade, or whether it’s “better”. My gut says “no” though. Really, it’s just a different package for the same thing…

It might be worth opening a new thread asking that question specifically. (Hopefully this won’t start a flame war. :smile:)

 
Ann

1 Like

I also had Dennis’ expectations when “Docker” was announced by SonarSource :slight_smile:
However:
“Scanning Docker images” has two flavours, one should be included in SonarQube in my opinion:

  1. Linting of the ‘Dockerfile’
    This is more or less a syntax check and validation of best practices.
    We are using hadolint for this in our company.
    This is similar to validation of Maven’s pom.xml, which SonarQube already does.
    So @ganncamp, can you put this in the backlog for your Developers :slight_smile:

  2. Vulnerability scanning of images
    An analysis of the components inside an image and detection of vulnerable components. e.g. by comparing them against the NVD.
    I don’t see this in SonarQube, but in specialized tools like “Clair” or Rapid7.

1 Like