We have integrated SonarCloud with our Azure DevOps pipeline to analyze code quality and security vulnerabilities across different languages, including JavaScript and Terraform. While SonarCloud successfully identifies and comments on issues for JavaScript code in Pull Requests (PRs), it does not seem to be commenting on Terraform-related issues, even though the issues are visible in the SonarCloud dashboard.
Observations:
-
Terraform Issues Detected in SonarCloud Dashboard
- SonarCloud correctly identifies Terraform issues, such as security risks (e.g.,
admin_enabled=true
in Azure resources). - The issues are listed in SonarCloud under Security Hotspots, Maintainability, and Code Smells sections.
- SonarCloud correctly identifies Terraform issues, such as security risks (e.g.,
-
No PR Comments for Terraform Issues in Azure DevOps
- Unlike JavaScript, where SonarCloud comments directly in the PR when an issue is detected, Terraform-related issues are not being reflected in the PR.
- This creates a gap in developer awareness and feedback since issues need to be manually checked in SonarCloud instead of being flagged in the PR.
Example Case:
- We committed the following Terraform code that violates security best practices:
```hcl
resource "azurerm_container_registry" "example" {
name = "example"
admin_enabled = true # Sensitive: Enabling admin accounts is a security risk.
}
- SonarCloud correctly flagged this in the dashboard as a security-sensitive issue.
- However, no comments appeared in the associated Azure DevOps PR.
### **Expected Behavior:**
- Similar to JavaScript, Terraform-related issues should also be **commented directly in the PR** by SonarCloud when an issue is detected.
- This ensures **consistent issue tracking and enforcement of security/compliance rules across all languages** in our codebase.
### **Request for Assistance:**
Could you please confirm if:
- **SonarCloud supports PR commenting for Terraform issues in Azure DevOps?**
- **Any additional configuration is required to enable PR commenting for Terraform-related findings?**
- **There are known limitations or workarounds for this issue?**
We would appreciate your guidance on resolving this discrepancy to maintain a unified code quality enforcement process.
Project Identification
sonar.projectKey=
sonar.organization=<>
sonar.projectName=<>
sonar.projectVersion=1.0
New Code Definition
sonar.newCode.referenceBranch=main
sonar.qualitygate.wait=false
Source Files
sonar.sources=.
sonar.exclusions=/.terraform/,/*.tfstate,/*.tfstate.backup
Language-Specific Settings
sonar.lang.patterns.generic=*.tf
sonar.generic.exclusions=/.terraform/
TFLint Report Path
sonar.terraform.tfLint.reportPaths=reports/tflint-report.json
Pull Request Analysis
sonar.pullrequest.provider=Azure DevOps
sonar.pullrequest.key=${System.PullRequest.PullRequestId}
sonar.pullrequest.branch=${Build.SourceBranchName}
sonar.pullrequest.base=${System.PullRequest.TargetBranch}
SCM Settings
sonar.scm.provider=git
Encoding
sonar.sourceEncoding=UTF-8
**# Issue: TFLint report is not appearing in the SonarCloud dashboard**
# Even though we have provided the correct path, the report is not being recognized.
# Warning seen in logs: "INFO SonarQube Cloud: Analysis succeeded with warning:
# TFLint report importing: path does not seem to point to a file /home/vsts/work/1/s/reports/tflint-report.json"
Looking forward to your response.