SonarCloud - Pen Testing and Cost Questions

Hello! I’m doing some research into SonarCloud and have a few questions.

  1. Does SonarCloud provide a service to do penetration testing on our applications?

  2. In my analyses, I exclude my tests using sonar.exclusions, but also include them in coverage using sonar.tests and sonar.test.inclusions. Would these test files count toward my LOC when determining which tier of SonarCloud I need to purchase?

Thank you

Hello,

Welcome to the SonarCloud community!

  1. SonarCloud does only SAST, so static analysis of your code. SonarCloud doesn’t provide any pentest services.
  2. The price is based on the LOC (Line of Code) metric which is computed based on your main files. Test files are not counted in your LOCs. Still, we raise test specific issues on them … for free.

Alex

1 Like

Thanks so much! This was very helpful. As a follow-up: I’m assuming pentests are not offered with SonarQube (the self-hosted version) either, is that correct?

Daniel,

That is correct. SonarQube does not provide pentest services. Thanks!

Clint

1 Like