Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

SonarQube Scanner

What is SonarQube Scanner?

SonarQube is a very popular static analysis tool that scans code for quality and security issues. SonarQube has community and commercial versions with a wide range of support for various coding languages.

This Uleska Platform integrates with SonarQube Community edition by dynamically spinning up an instance of SonarQube and scanning your source code with it to return security vulnerabilities.

Note that if you wish to use the commercial version of SonarQube, or an instance of SonarQube in your environment, you can use the SonarQube Server adaptor.

Security Stage SAST (Static Code Analysis)
Type Community and Commercial
Languages Java, Javascript, C#, TypeScript, Kotlin, Ruby, Go, Scala, Flex, Python, PHP, HTML, CSS, VB
Site https://www.sonarqube.org/

 

Pre-requisites

1 You'll need a Git Address to scan

 

How do I set it up?

Setting up SonarQube Scanner is simple as there's no connection or configuration to apply for the tool adaptor. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.

VeracodeEditStage

  • Ensure that the version's 'Uri' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.

SASTSetup-1

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'Sonar-Scanner' tool.

SonarScannerSetup

  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the SonarQube tool will be included in the test run and any results added to your vulnerabilities list.

Notes

None