Hi All,
I am currently using the SonarQube 7.7 Community Edition. I would like to integrate the DevSecOps in to my code.
Does SonarQube 7.7 Community Edition or latest version of SonarQube 8.2 provide any features for integrating security checks in the code ?
regards,
Sushil Nembhani
Hi Sushil,
In fact, I just did a webinar on this two days ago.
There’s also a webpage that provides more details, a blog on taint analysis, and more in the docs.
HTH,
Ann
Thanks for providing the details & also the link to Security Webinar.
I am was specifically looking for OWASP Top 10 Capabilities in latest version 8.2 of SonarQube Community.
How i can integrate in my devops pipelines to fail the Quality Gate if the OWASP Top 10 issues are high & critical ?
regards,
Sushil Nembani
Hi Sushil,
First you’ll want to make sure the relevant rules are included in your profile. Then you need to make sure your Quality Gate fails if you have
* In practice you may want to set this higher. The letter ratings correspond to the severity of the worst open issue. If you set the OWASP-related rules to Blocker or Critical in your profile, then you might allow a C to pass
HTH,
Ann
Hi Ann,
I have configured the SonarQube 8.2 Community edition to include the Security Hotspots as part of the Quality Gate. Attaching the screenshot
Please let us know if anything need to be added for the DevSecops ?
regards,
Sushil Nembhani
