As a Cloud Security Architect, I would like the ability to pull Snyk code scans into SonarCloud so that software engineers only have to log into one platform to review security findings.
Details:
-
ALM: Gitlab
-
CI system: Gitlab
-
Scanner command used when applicable (private details masked): Nothing today
-
Languages of the repository: TypeScript, Python, CDK, Terraform
-
Only if the SonarCloud project is public: All projects are private
-
Error observed: No Error, yet.
-
Steps to reproduce:
-
Kick off a Sonar scan within a pipeline
-
Kick off a Snyk scan within a pipeline
-
Log into SonarCloud and review scan results
-
Log into Snyk and review scan results
-
Potential workaround:
At the beginning of a build pipeline, first, kick off a Snyk scan, and results are either passed to SonarCloud. Or alternatively, the ID of the Snyk scan is shared with SonarCloud where results from Snyk are pulled during a managed service based on a defined time. -
Side Note:
There is a similar process for checkmarx and sonar today.