HomeGuidesAPI ReferenceChangelog
Guides

SonarCloud

SonarCloud API Integration

This API integration is able to automate the sonarcloud code scan, create assessments based off the code smells, bugs and vulnerabilities found then create child issues linked to the assessment with severities based on the vulnerability severity level assigned by sonarcloud

There are 3 issue types available within SonarCloud:

  • Bug
  • Vulnerability
  • Code Smell

Within these issue types there are 4 Security Categories available in SonarCloud:

  • SonarSource
  • OWASP (Open Web Application Security Project)
  • SANS (SysAdmin, Audit, Network, and Security)
  • CWE (Common Weakness Enumeration)

There are 5 severities available from SonarCloud that are condensed within the RegScale issue creation:

  • Blocker
  • Critical
  • Major
  • Minor
  • Info

(NOTE: Requires release 4.14.0 or greater.)

This tool is meant to be run as part of automated code checks when the pipeline is run and is not meant to be run separately as a regscale-cli command.

Issues Processing Workflow

The CLI currently supports processing issues and alerts from SonarCloud as Issues and Assessments in RegScale and the processing workflow is shown below:

  • The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation
  • The user then calls the CLI to sync SonarCloud issues and alerts while setting the following flags:
    • regscale_id - the ID # of the RegScale record to associate the nodes and scans from Sicura as Assets and Security Checks
    • regscale_module - the RegScale module of the record to associate the nodes and scans as Assets and Security Checks, please view RegScale Modules for options.
  • The CLI then retrieves all issues and alerts from SonarCloud
  • The CLI then processes through all retrieved records and does the following:
    • Creates an Assessment in RegScale for each of the SonarCloud alerts
    • Creates Issues in RegScale from the SonarCloud issues

The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of any issues.

Init.yaml Configuration

There is 1 piece of information required to use the sonarcloud API integration:

  • sonarToken - The sonarcloud token assigned in the UI
  • sonarUrl - If using an on-prem deployment, set this variable in the init.yaml

The first step is to set the values for this variable in the init.yaml file.

Running the SonarCloud API Integration

You can execute python files using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "Sonarcloud.sh") in Ubuntu for executing the SonarCloud API integration.

#!/bin/sh

# Run the SonarCloud vulnerabilty scan
regscale sonarcloud sync_alerts --regscale_id 20 --regscale_module securityplans

To execute the Bash file, run this command: /path/to/folder/Sonarcloud.sh.