[Webinar] Driving DevOps Transformation: Leveling up CI/CD with Static Code Analysis

Hello everyone!

Here are the details for our next Clean Code Monthly webinar, where we will address DevOps Transformation and Static Code Analysis.

On April 17th, join @peter.mckee Head of Developer Relations, who will present a webinar entitled “Driving DevOps Transformation: Leveling up CI/CD with static code analysis”, to discuss how static code analysis can assist organizations deliver reliable value to their customers, and give practical advice on how to integrate Static Code Analysis in one’s development processes.

Don’t miss it!

Title: Driving DevOps Transformation: Leveling up CI/CD with Static Code Analysis
Date and time: 2024-04-17T15:00:00Z
Speaker: Peter McKee, Head of Developer Relations

Register now!

Interested in the topic, but you don’t think you can make it to the live event? Register here, and receive the recording of the session after the webinar.

Hello everyone,

Thanks a lot to all who attended our webinar yesterday! You can find below the questions and answers of the session:

Q: What is the role of DevOps towards Software Quality? Should it be DevOps who pushes dev teams for software quality or should it be from Dev teams?
A: DevOps is an approach to software delivery where dev teams and operations teams work together as a single unit to deliver software. Sonar’s tools, SonarQube, SonarCloud, and SonarLint are essential in the DevOps lifecycle for enhancing developer productivity and streamlining the creation of code. By creating the cleanest code possible early in the lifecycle, you are saving time and cost to find and fix issues later in the process. The later you find issues in the software delivery process, the more it costs you to fix them.

Q: How is the product different from Git Advance Security? When I select Sonar, what is the benefit compared to GHAS?
A: GitHub Advanced Security focuses on security issues. Sonar provides insight into code quality, which includes issues that impact the security of your software, but also issues that impact your software’s maintainability, reliability… Security is indeed talked about a lot and is a source of cost for companies, but those other qualities are also cost drivers (speed of delivery of new features, time spent diagnosing issues in production…)

Q: What are the requirements for SonarLint? Does it need jdk and other installs ?
A: The requirements for SonarLint are available on Requirements and IntelliJ.

Q: Does SonarCloud scan all the 3rd party modules inside the repo, or only those 3rd party modules called in the project code for Security vulnerabilities? Is it configurable?
A: SonarQube and SonarCloud both scan all code in the repository or repositories you configure them to analyze. Deeper SAST includes pre-scanning of common third-party libraries to perform taint analysis of data passed between those libraries.

Q: Does SonarLint support Javascript/Typescript code and SPA’s(Angular/React/Node)?
A: Yes, Sonar supports both Javascript and Typescript, with specific rules tailored for React. This support is available in SonarLint as well as SonarQube and SonarCloud.

Q: If we use Sonar for source code vulnerability scan, we can only SonarQube and don’t need any tools to integrate?
A: You do not need any other tool than Sonarqube and then you can add the scan to your build pipeline to benefit from our analysis as part of your CI.

Q: Sonar detects vulnerabilities by rules; do we need to create the rule manually or from the library?
A: We provide the rules, you are free to enable/disable them, but you do not need to write any rule manually

Q: What is the priority of measures like security, maintainability, reliability etc. in SonarCloud? For instance, when we are in maintenance mode. How can we prioritize the findings in Sonar Cloud?
A: You have the availability to configure your Quality Gate to match your needs. We recommend taking a no-issue stance by default, but you are free to choose your own rules.

Q: Where can I get the reference for integrating the Sonar Cloud on Azure CI/CD pipeline for embedded projects on c/c++? How to configure the custom compiler toolchain?

A: You can find information relevant to Azure DevOps integration for C++ projects at SonarScanner for Azure DevOps & SonarCloud Docs

You can find information on how to configure a C++ analysis on: C/C++/Objective-C | SonarCloud Documentation

Finally, do not hesitate to post your question on our Community Forum: https://community.sonarsource.com

Q: How does Sonar compare with ESLint?
A: SonarLint handles not only code syntax but also identifies issues in your code that result in software that is not maintainable, secure, or reliable.

Q: Can we check security threats during static analysis ?
A: Yes, SonarQube and SonarCloud both perform static analysis and identify security vulnerabilities in your code.**

Q: I might be confused or it sounds like “Static Code Analysis” is a rather broad term. Like, can one do Static Code Analysis against Static C-sharp code before compilation, or do compiled languages need to be compiled before scanning?
A: Generally speaking, Static Code Analysis does not require “building”, but its implementation is close to that of a compiler. Some solutions rely on the actual compiler to carry out the analysis. This is the case for C# for example in the current Sonar implementation.

Q: Are there any plans to incorporate LLM into sonar code analysis?
A: We are currently evaluating how GenAI tools fit into code analysis. Our first priority is still to deliver high-quality insights into your code, with low false positives numbers.

Q: I can imagine that Co-pilot and LLM code generators start affecting quality code, but does it make code better or worse?
A: It’s essential to do a thorough code review and understand the results of AI-generated code to ensure it aligns with your project requirements, coding quality standards, and security considerations.

Q: When will Flutter/Dart be available out-of-the-box?
A: Flutter/Dart support is on our long-term roadmap. We are working on it. It will likely take at least a year out to complete.

Q: When Sonar can perform static scanning for vulnerabilities including third-party libraries, Is there a need to use an exclusive Static scanning tool like Snykfor example?
A: Sonar deeper SAST scans user code interactions with commonly used open source libraries and we believe it is better than Snyk in so far as we do not only SAST but also help you find and fix code quality bugs/issues.

Q: Are there any plans to include scan/lint for Kubernetes, helm charts, and ansible yamls
A: We already support Kubernetes and Helm Charts today. We have plans for Ansible support in the short term.

**Q: What is the ratio of “true alarm” percentage versus “false alarm” percentage in SonarQube?
A: The answer varies from language to language and specific rule types (bugs, code smells, vulnerabilities…)

Q: Is there only main branch support available in SonarQube Community Edition?
A: While it is true that support for branches and pull requests is not available in the free Community edition, it is available for open-source projects in SonarCloud for free.

Q: Can developers install sonarQube on their laptops and run it against their local code repository?
A: Yes it is possible.