SonarQube is a very popular static analysis tool that scans code for quality and security issues. SonarQube has community and commercial versions with a wide range of support for various coding languages.
This Uleska Platform integrates with your instance of SonarQube Community or Professional editions by setting up a connection to your instance of SonarQube and scanning your source code with it to return security vulnerabilities.
Note that if you wish to use the commercial version of SonarQube, or an instance of SonarQube in your environment, you can use the SonarQube Scanner adaptor.
|Security Stage||SAST (Static Code Analysis)|
|Type||Community and Commercial|
|1||You'll need a Git Address to scan|
|2||You'll need a SonarQube instance to connect to|
There are three steps to setting up SonarQube with your instance:
To connect your SonarQube instance and the Uleska Platform, you'll need a user API token. See the SonarQube instructions at https://docs.sonarqube.org/latest/user-guide/user-token/ to set this up.
Now that you have your access user and token, you can setup a connection configuration.
When you scan your Application Version with SonarQube Server, the tool will use the Application Name as the SonarQube Component Key.
Follow our guide on Creating a Custom Toolkit, and choose SonarQube Server from the tool list.