What options are available using sonarqube to scan for code defects, bad practice, and security concerns in PostgreSQL DDL, SQL, and pl/pgSQL?
Research suggests there is no sonarqube scanner for PostgreSQL, can other scanners be used to validate e.g. SQL and DDL?
Is it possible to write our own rules (say using PMD)?
What options are there to use sonarqube to scan Postgres?
A similar question was last asked in 2019 here: Code analyzer or plugin for PL/pgSQL or pgSQL
Colin
(Colin)
2
Hey @mathewbutler
I’m not aware of any SonarQube plugins that accomplish this.
There appear to be some existing linting tools like GitHub - okbob/plpgsql_check: plpgsql_check is a linter tool (does source code static analyze) for the PostgreSQL language plpgsql (the native language for PostgreSQL store procedures)., if you were able to take that report and convert it to generic issue format, you might have something. You could also build a plugin around this (similar to how GitHub - sbaudoin/sonar-ansible: SonarQube plugin to analyze Ansible playbooks executes ansiblelint and then imports the report)