SonarQube Community - DevSecOps

Hi All,

I am currently using the SonarQube 7.7 Community Edition. I would like to integrate the DevSecOps in to my code.

Does SonarQube 7.7 Community Edition or latest version of SonarQube 8.2 provide any features for integrating security checks in the code ?

regards,
Sushil Nembhani

Hi Sushil,

In fact, I just did a webinar on this two days ago.

There’s also a webpage that provides more details, a blog on taint analysis, and more in the docs.

 
HTH,
Ann

Thanks for providing the details & also the link to Security Webinar.

I am was specifically looking for OWASP Top 10 Capabilities in latest version 8.2 of SonarQube Community.

How i can integrate in my devops pipelines to fail the Quality Gate if the OWASP Top 10 issues are high & critical ?

regards,
Sushil Nembani

Hi Sushil,

First you’ll want to make sure the relevant rules are included in your profile. Then you need to make sure your Quality Gate fails if you have

  • unreviewed Security Hotspots
  • Security rating worse than A*

* In practice you may want to set this higher. The letter ratings correspond to the severity of the worst open issue. If you set the OWASP-related rules to Blocker or Critical in your profile, then you might allow a C to pass

 
HTH,
Ann

Hi Ann,


Thanks for your inputs.

I have configured the SonarQube 8.2 Community edition to include the Security Hotspots as part of the Quality Gate. Attaching the screenshot

Please let us know if anything need to be added for the DevSecops ?

regards,
Sushil Nembhani

Hi Sushil,

What you actually wanted to add to your Quality Gate is the Security Review Rating. For comparison, here’s our default QG, with attention drawn to all the security-related conditions:

 
HTH,
Ann