SonarCloud vs MSCA

EddyLeow · April 22, 2020, 7:56am

Does SonarCloud covers the same static code scanning capabilities of the Microsoft Security Code Analysis(MSCA)?
Examples of MSCA toolset:

Credential Scanner: a proprietary Microsoft tool that helps detect credentials, secrets, certificates, and other sensitive content in your source code and build output.
Roslyn Analyzer: Microsoft’s compiler integrated static analysis tool for analyzing managed code (C# and VB)

Colin · April 22, 2020, 9:09am

Hey there –

SonarCloud has some fairly rudimentary rules in this respect (Hard-coded credentials are security-sensitive) with aims to improve this in the future (MMF-1932 - Enhanced hard-coded credentials detection).

Roslyn is at the core of our C# analyzers (it’s what they are built on!) and issues from other Roslyn analyzers are automatically imported to SonarCloud during analysis.

EddyLeow · April 23, 2020, 3:33am

Thanks Colin for the clarification.

Could you share some of these rules in SonarCloud that helps in identifying hard-coded credentials?

Colin · April 23, 2020, 5:47pm

When I said rules, maybe I oversold it. SonarCloud has the one rule, which I already linked!

EddyLeow · May 4, 2020, 6:35am

No worries… thanks Colin.
Does SonarCloud scan the libraries/opensource that the application leverage?

Colin · May 4, 2020, 8:11am

SonarCloud does not track the libraries that are included in a project – we leave SCA (Software Component Analysis) to those who do it best (like our friends at Snyk or WhiteSource)!