SonarQube
SonarQube scanner that uses SonarQube Cloud Edition to generate findings.
How to use
Open-Source
- Add the component to the workflow:
# file ./my-workflow/workflow.yml
description: Sonarqube based workflow
name: sonarqube
components:
- component: ghcr.io/smithy-security/smithy/manifests/components/targets/git-clone:v1.4.0
- component: file://components/scanners/sonarqube/component.yaml
- component: ghcr.io/smithy-security/private-components/manifests/components/enrichers/exploit-exists:v0.0.3
- component: hcr.io/smithy-security/smithy/manifests/components/reporters/json-logger:v1.0.2
- Configure the run parameters of the component in the overrides file:
# file: ./my-workflow/overrides.yaml
git-clone:
- name: "repo_url"
type: "string"
value: "https://github.com/sqreen/go-dvwa.git"
- name: "reference"
type: "string"
value: "master"
sonarqube:
- name: "auth_token"
type: "string"
value: "xxx"
- name: "project_key"
type: "string"
value: "xxx"
- name: "project_name"
type: "string"
value: "xxx"
- name: "organization"
type: "string"
value: "xxx"
- name: "target_repository_url"
type: "string"
value: "https://github.com/sqreen/go-dvwa.git"
- name: "target_repository_reference"
type: "string"
value: "master"
SaaS
- In the Smithy UI, open the page to create a new workflow.
- Find the SonarQube component in the Scanners dropdown.
- Fill the form on the right
Options
You can configure this component with the following options. The options that have a default value are optional:
| Option Name | Description | Default | Type |
|---|---|---|---|
| [Required] auth_token | The SonarQube auth token. | String | |
| [Required] project_key | The project key of your SonarQube project you want to report findings to. It comes in the form $organization_$project_name | String | |
| [Required] project_name | The project name of your SonarQube project you want to report findings to | String | |
| [Required] organization | The name of your SonarQube organization. | https://sonarcloud.io | String |
| host_base_url | The base URL to your SonarQube cloud instance. | String | |
| target_repository_url | The link of your repository generating findings. | String | |
| target_repository_reference | The reference of your repository generating findings. | String | |
| client_query_page_size | Page size for the batched HTTP calls to SonarQube Cloud API. | 50 | Integer |
| status_polling_interval | How often SonarQube Cloud API should be polled for a scheduled scan task to check if it's completed. | 5s | Duration |
| status_polling_max_retries | How many attempts should be made to check if a scheduled task is completed. | 240 | Integer |