Sonarqube for SAST

taryg19 · December 18, 2022, 5:04am

Hi everyone,

I don’t know if it is the scope of this forum but I’ll ask anyways.

I am implementing this tool as a part of the DevSecOps lifecycle but I have been thinking if this tool could be enough to perform SAST on my developer’s code?

Are there any recommendations talking about plugins, rules, quality gates or something that I might consider before implementing this tool? I mean, recommendations while using Sonarqube but aiming specifcally to improve security.

Thanks in advance.

ganncamp · January 2, 2023, 7:03pm

Hi,

Commercial editions of SonarQube include taint analysis rules for flagship languages (Java, C#, JS/TS, PHP, Python). Those rules are on by default in the build-in Quality Profiles, so you would just want to be sure you’re using those build-in profiles or derivatives.

HTH,
Ann