HomeGuidesAPI ReferenceChangelog
Log In
Guides

SonarCloud

SonarCloud API Integration

This API integration is able to automate the sonarcloud code scan, create assessments based off the code smells, bugs and vulnerabilties found then create child issues linked to the assessment with severities based on the vulnerability severity level assigned by sonarcloud

There are 3 issue types available within SonarCloud:

  • Bug
  • Vulnerability
  • Code Smell

Within these issue types there are 4 Security Categories available in SonarCloud:

  • SonarSource
  • OWASP (Open Web Applicatin Security Project)
  • SANS (SysAdmin, Audit, Network, and Security)
  • CWE (Common Weakness Enumeration)

There are 5 severities available from SonarCloud that are condensed within the RegScale issue creation:

  • Blocker
  • Critical
  • Major
  • Minor
  • Info

(NOTE: Requires release 4.14.0 or greater.)

This tool is meant to be run as part of automated code checks when the pipeline is run and is not meant to be run separately as a regscale-cli command.

Init.yaml Configuration

There is 1 piece of information required to use the sonarcloud API integration:

  • sonarToken - The sonarcloud token assigned in the UI

The first step is to set the values for this variable in the init.yaml file.

Running the SonarCloud API Integration

You can execute python files using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "Sonarcloud.sh") in Ubuntu for executing the SonarCloud API integration that runs the automated dependabot vulnerability scan.

#!/bin/sh

# Run the automated github dependabot vulnerabilty scan
python3 sonarcloud.py

To execute the Bash file, run this command: /path/to/folder/Sonarcloud.sh.