[Webinar] Integrating Sonar Clean Code Practices in AWS CI/CD Workflows

Hello everyone!

We are excited to announce we will be hosting a webinar with AWS in December!

This session will present how to integrate Clean Code practices in AWS CI/CD Workflows and give plenty of insights on how SonarQube not only enhances the processes, but seamlessly integrates with AWS products such as CodeCommit, CodeBuild, and CodePipeline.

Title: Integrating Sonar Clean Code Practices in AWS CI/CD Workflows
Date and time: 2023-12-12T16:00:00Z
Speakers: Sylvain Combe Sales Engineer at Sonar, and Ramon Lopez Narvaez, Senior Solutions Architect at AWS

Register now to attend!

Not sure you can make it to the live event, but still interested in this webinar? Register here to receive the recording after the session.

1 Like

Hello everyone,
Thank you to everyone who joined our webinar session yesterday! Find below the questions that were asked:

Q: Is CodeCatalyst supported with Sonar analysis?
A: Yes, SonarCloud can integrate with CodeCatalyst as documented here: https://docs.sonarsource.com/sonarcloud/advanced-setup/ci-based-analysis/amazon-codecatalyst/

Q: Can I set up a Quality Gate, so that Bugs and Vulnerabilities will cause a build failure, but Code Smells will not?
A: Yes, you have to create your own Quality Gate with conditions that you want to define. Docs for reference: quality gates
What fails a build or not, is defined by your quality gate and you could create a custom Quality Gate.

Q: In this session, do you give information about deploying infra via IaC paradigm and how SonarQube can secure those?
A: This webinar is focused on developing a Java application and analyzing using SonarQube. However, SonarQube does support IaC tools like Terraform, and CloudFormation.
You can also find the co-webinar we’ve done with HashiCorp on Terraform here Make your Terraform Projects more secure with Sonar Clean as You Code

Q: Is it possible to scan only the changes made by a PR to improve the performance of the scan?
A: Yes, now for PR analysis only the changes can be scanned, we enabled faster pull request analysis for all languages

Q: Is the PR builds feature available in the Community Edition of SonarQube?
A: No, PR analysis is available in commercial editions only. Starting from Developer Edition. Download | SonarQube

Q: Is it possible to get similar integration, to scan pull requests for feature branches, using GitHub Enterprise?
A: Yes. You can find here the documentation: https://docs.sonarsource.com/sonarqube/9.8/devops-platform-integration/github-integration/

Q: Does SonarQube come with a dependency-check scan feature?
A: No, SonarQube does static code analysis including SAST. The deeper SAST feature of SonarQube does look at the interaction of user code with open-source dependencies to find deeply hidden security vulnerabilities. Learn more at: https://www.sonarsource.com/solutions/security/
Q: Can we see more about how SonarQube triggers the build when a PR is opened?
A: What you have seen during the presentation triggered by EventBridge, here are some details on the process Workshop Studio
Also, find here a link to the documentation on the EventBridge service: Event Listener - Amazon EventBridge - AWS

Q: What is the pricing of SonarQube for small companies with 1 to 5 developers?
A: Pricing is based on lines of code. There are no limits on the number of developers or the number of projects. Plans & Pricing

Q: Where on web interface see we can see details about "failed conditions”?
A: You can find your PR analysis results in the SonarQube user interface

1 Like