Running the security test with SonarQube

  • We have subscibed to SonarQube Developer Edition and I would like to know some details on running the security test with the help of SonarQube.

  • We have a requirements to do security testing and would like to get the security reports for the users for each SonarQube builds.Which can help users to identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or passing on vulnerabilities.

  • The security reports should allow to save locally and shared. Now we don’t see such options now.

Please let us know how we can enable the SonarQube feature to get security reports and Vulnerability and to do security testing.

Hi @v-jay

There are 2 different topics in your post:

  • Having a security analysis on your project by raising Security issues (Security Hotspots and Security Vulnerabilities)
  • Having a Security Report available to store it and share it internally

First part:
You just need to be sure that the Security rules are activated in your Quality Profile, to run the analysis with SonarQube. Then, you’ll see that in your projects, additional issues will be raised (Security issues). Just be sure you are running the latest version of SonarQube to benefit from all the latest rules.

Second part:
Security Reports are available only in Enterprise Edition (described here).
You can still build your own reports using webAPI in the footer of SonarQube homepage.

HTH,
Carine