Hello everyone,
Thank you to everyone who joined our webinar session yesterday! Find below the questions that were asked:
Q: Is CodeCatalyst supported with Sonar analysis?
A: Yes, SonarCloud can integrate with CodeCatalyst as documented here: https://docs.sonarsource.com/sonarcloud/advanced-setup/ci-based-analysis/amazon-codecatalyst/
Q: Can I set up a Quality Gate, so that Bugs and Vulnerabilities will cause a build failure, but Code Smells will not?
A: Yes, you have to create your own Quality Gate with conditions that you want to define. Docs for reference: quality gates
What fails a build or not, is defined by your quality gate and you could create a custom Quality Gate.
Q: In this session, do you give information about deploying infra via IaC paradigm and how SonarQube can secure those?
A: This webinar is focused on developing a Java application and analyzing using SonarQube. However, SonarQube does support IaC tools like Terraform, and CloudFormation.
You can also find the co-webinar we’ve done with HashiCorp on Terraform here Make your Terraform Projects more secure with Sonar Clean as You Code
Q: Is it possible to scan only the changes made by a PR to improve the performance of the scan?
A: Yes, now for PR analysis only the changes can be scanned, we enabled faster pull request analysis for all languages
Q: Is the PR builds feature available in the Community Edition of SonarQube?
A: No, PR analysis is available in commercial editions only. Starting from Developer Edition. Download | SonarQube
Q: Is it possible to get similar integration, to scan pull requests for feature branches, using GitHub Enterprise?
A: Yes. You can find here the documentation: https://docs.sonarsource.com/sonarqube/9.8/devops-platform-integration/github-integration/
Q: Does SonarQube come with a dependency-check scan feature?
A: No, SonarQube does static code analysis including SAST. The deeper SAST feature of SonarQube does look at the interaction of user code with open-source dependencies to find deeply hidden security vulnerabilities. Learn more at: https://www.sonarsource.com/solutions/security/
Q: Can we see more about how SonarQube triggers the build when a PR is opened?
A: What you have seen during the presentation triggered by EventBridge, here are some details on the process Workshop Studio
Also, find here a link to the documentation on the EventBridge service: Event Listener - Amazon EventBridge - AWS
Q: What is the pricing of SonarQube for small companies with 1 to 5 developers?
A: Pricing is based on lines of code. There are no limits on the number of developers or the number of projects. Plans & Pricing
Q: Where on web interface see we can see details about "failed conditions”?
A: You can find your PR analysis results in the SonarQube user interface
