SonarQube is a self-managed, automatic code review tool that systematically helps in delivering clean code.

Usage of Sonarqube in SSD

• SSD mandates security scans on images using Sonarqube. It connects with Sonarqube to see if the required version of the image has been scanned by and if not done, SSD generates a security issue.

• Once the Sonarqube scan is done, SSD pulls container security scan results from and uses to calculate the overall image and application risk scoring.

• The scanned results are available in the Vulnerability Management page, Source section of the DBOM page, and the View Open Security Issues page.

• Users can also create custom policies based on the SAST scan results, for example, users can create a policy that blocks images built from a repository where the Sonarqube quality gate check failed at the time of build.

To Integrate Sonarqube:

1. Navigate to Config > Integrations.

2. In the Source panel, click on Sonarqube.

3. The Sonarqube integration page is displayed.

4. Enter the URL and Token values of your Sonarqube account. (See Token for details on how to generate API token).

5. Click Save. The tool is integrated in the source stage.

6. You can edit the entered values by clicking the Edit option as shown below:

7. Enter the new URL and token value and click Update.

The new values get updated.