[NEW RELEASE] Sonar Cloudformation plugin 1.0.2

Sonar Cloudformation plugin 2.0.1 released

I have just released a new version of the Sonar Cloudformation Plugin:

plugin description: Cloudformation Plugin for SonarQube, support cfn-nag rules
version 2.0.1 changes : Requires yaml plugin to be installed, json is optional
Github project: https://github.com/Hack23/sonar-cloudformation-plugin
SonarQube compatibility: 7.7, 7.8, 7.9.x,8.1,8.2
plugin project homepage on SonarCloud: https://sonarcloud.io/dashboard?id=com.hack23.sonar%3Asonar-cloudformation-plugin
PR in sonar-update-center-properties repo: https://github.com/SonarSource/sonar-update-center-properties/pull/108
Release notes: https://github.com/Hack23/sonar-cloudformation-plugin/releases/tag/sonar-cloudformation-plugin-2.0.1
Download URL: https://oss.sonatype.org/service/local/repositories/releases/content/com/hack23/sonar/sonar-cloudformation-plugin/2.0.1/sonar-cloudformation-plugin-2.0.1.jar

Demo Cloudformation yaml quality profile : https://www.hack23.com/sonar/profiles/show?language=yaml&name=Cloudformation+Rules

Demo Cloudformation json quality profile : https://www.hack23.com/sonar/profiles/show?language=json&name=Cloudformation+Rules

Demo Sonarqube quality rules : https://www.hack23.com/sonar/coding_rules?languages=yaml&repositories=cfn-yaml

Best regards


I’ve got rules! :smile:

Could you point me to a project to test on? Hopefully one that already includes a cfn-nag report. :slightly_smiling_face:


1 Like


Added a test at

So the plugin itself can be used for verification.

Using property below
-Dsonar.cfn.nag.reportFiles=src/main/resources/cfn-nag-scan.nagscan -Dsonar.sources=.

Jenkinsfile : https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/Jenkinsfile

Issue at https://www.hack23.com/sonar/project/issues?id=com.hack23.sonar%3Asonar-cloudformation-plugin&open=AXETZ0VYw-27j5QSfrar&resolutions=FALSE-POSITIVE (set to false positive to pass quality gate :slight_smile:

best regards


I’m not ignoring this.



Sorry about the very long delay. I’ve finally had a chance to test this. You did send me links to a demo instance - and thanks for that! - but as part of my initial testing I always want to start up an instance with the plugin and run an analysis just to make sure the basics are covered. They are. :slightly_smiling_face:

I’ve requested some changes to your PR. Once they’re handled, I’ll pull the trigger on this.

AND, I do have some non-blocker feedback for you.

  • You seem to raise all issues on the Type element. When you’re raising an issue about a missing property, I guess that’s as good a place as any. However, when you’re raising an issue about a property that is there, it seems like the issue should be raised on that property. E.G.

    Taking the user directly to the exact line and symbol that needs work helps her understand what needs to be done.

  • I’m hoping that you’ll eventually flesh out your rule descriptions to explain why the issues you raise represent problems that need to be addressed. Right now, each description is a re-statement of the rule name. If you know what you’re doing, then this “reminder” format is okay. But keep in mind that SonarQube is a teaching/learning tool for many, many developers. If they already understood what the good practices are, they wouldn’t need us. :slightly_smiling_face:

  • Long term, I’m hoping that your plan is to embed the underlying tool and run it as part of analysis if a report isn’t fed in manually. What you’re doing is perfectly acceptable, but it would ease adoption/use to make things as simple as possible to use.



Thank you for all the feedback,

Will update the PR and also release a new release plugin with support for new rules https://github.com/stelligent/cfn_nag/releases/tag/v0.5.34 shortly.

Working on getting the “why” in place a https://github.com/stelligent/cfn_nag/issues/310, mainly connected to

CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE-272 - Least Privilege Violation
CWE-257 - Storing Passwords in a Recoverable Format
CWE-311 - Missing Encryption of Sensitive Data
CWE-326 - Inadequate Encryption Strength
CWE-286 - Incorrect User Management
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-778 - Insufficient Logging

and targeting NIST 800-53 compliance in AWS. More info at https://github.com/stelligent/cfn_nag/issues/130.

CWE -> NIST https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv (not complete) .

“CWE-778 - Insufficient Logging” connected to AU-12 Audit Generation.
“CWE-311 Missing Encryption of Sensitive Data” -> SC-8 Transmission Confidentiality and Integrity

This cwe tags is already in the plugin, but not the cfn-nag tool yet.

Plan to include better descriptions, but hard to cover 130+ rules. But could probably quick easy include links to solutions for a subset of the rules.

Would also if possible run the scan as part of the plugin, might be possible to use Jruby as in https://stelligent.com/2018/05/25/serverless-cloudformation-linting-in-aws-codepipeline/ .

Best regards


Have updated the PR now as well.

Missed one of the comments yesterday.

" You seem to raise all issues on the Type element.", a limitation of the cfn-nag tool. It only reports a line number at the moment. But once the parser https://github.com/stelligent/cfn-model improves and support more specific issues and will try to support it.

Best regards

You’re in! :champagne::tada:


P.S. I just saw how this shows up in the Marketplace / Plugin Version Matrix:
If I can add an item to my wish list, it would be that you update the name (not the key! just the name) to something like Cloudformation or Cfn-nag or Cloudformation/Cfn-nag, or…
Why? Well… it’s obvious in context that it’s a plugin, and “we” (for some definition of “we”) get a little twitchy about that “Sonar” sometimes.


Thank you for all the help.

Have created a new release where I changed the name to Cloudformation only at [NEW RELEASE] Cloudformation plugin 2.0.4 .

Best regards

1 Like