SonarCloud
SonarCloud API Integration
This API integration is able to automate the sonarcloud code scan, create assessments based off the code smells, bugs and vulnerabilities found then create child issues linked to the assessment with severities based on the vulnerability severity level assigned by sonarcloud
There are 3 issue types available within SonarCloud:
- Bug
- Vulnerability
- Code Smell
Within these issue types there are 4 Security Categories available in SonarCloud:
- SonarSource
- OWASP (Open Web Application Security Project)
- SANS (SysAdmin, Audit, Network, and Security)
- CWE (Common Weakness Enumeration)
There are 5 severities available from SonarCloud that are condensed within the RegScale issue creation:
- Blocker
- Critical
- Major
- Minor
- Info
(NOTE: Requires release 4.14.0 or greater.)
This tool is meant to be run as part of automated code checks when the pipeline is run and is not meant to be run separately as a regscale-cli command.
Init.yaml Configuration
There is 1 piece of information required to use the sonarcloud API integration:
sonarToken
- The sonarcloud token assigned in the UI
The first step is to set the values for this variable in the init.yaml file.
Running the SonarCloud API Integration
You can execute python files using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "Sonarcloud.sh") in Ubuntu for executing the SonarCloud API integration that runs the automated dependabot vulnerability scan.
#!/bin/sh
# Run the automated github dependabot vulnerabilty scan
python3 sonarcloud.py
To execute the Bash file, run this command: /path/to/folder/Sonarcloud.sh
.
Updated 4 months ago