Securing Codes Using SonarQube
Hola Hola, I hope you guys are taking good care of yourself. This blog will be different than my usual bug bounty write-ups. In this blog, we will be going to learn how we can take good care of code.
A Static Application Security Testing (SAST) tool is important for securing applications by identifying vulnerabilities in the source code.
- Automated and Continuous Security Scanning: SAST tools like SonarQube can easily be integrated with CI/CD pipeline to perform continuous security checks, ensuring secure code deployment.
- Detection of Vulnerability at early stage: By Using SAST, security vulnerabilities can be identified and fixed during the development phase, reducing the effort of fixing issues later in the software lifecycle.
- Reducing Security Risks with Enhancing Code Quality: By detecting vulnerabilities in code from OWASP top 10 like hardcoded secrets, Cross Site Scripting, SQL injections e.t.c reduces overall security risk and enhances code quality by ensuring secure code practices.
- Reduces Time and Effort in Manual Code Reviews: By automating the detection of security flaws in code, it reduces time and effort for manual code reviews by the security team.
- Marketplace/External Plugins: Plugins like spot-bugs and dependency-check can be installed from the marketplace.
Why SonarQube ?
SonarQube is a code quality and security analysis tool that provides SAST capabilities by detecting security vulnerabilities, bugs and code smells in the source code.
- Static code analysis: Sonar’s static application security testing (SAST) engine detects security vulnerabilities in your code so they can be eliminated before you build and test your application
- Secrets detection: SonarQube Server includes a powerful secrets detection tool, one of the most comprehensive solutions for detecting and removing secrets in code.
- Multi-Language Support: Supports 30+ programming languages, including Java, Python, JavaScript, C#, PHP, C++, Kotlin, and Go.
- CI/CD Integration: Seamlessly integrates with CI/CD pipelines (Jenkins, GitHub Actions).
- Security Hotspot Detection: Identification of Risky code areas that require manual review.
Ways to perform Scan
There are multiple ways to run a sonar scanner to perform SAST. Below are a few approaches.
- SonarQube Stage in Jenkins File/CICD:
If the organization is using a central CI/CD pipeline or separate Jenkins file for each repository then this will come in handy to you. A separate SonarQube Analysis stage can be added in the CI/CD pipeline or Jenkins file of each repository.
stages {
stage('SonarQube Analysis') {
steps {
script {
withSonarQubeEnv(SONARQUBE_SERVER) {
sh '''
sonar-scanner \
-Dsonar.projectKey=$REPO_NAME \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarqube.example.com/ \
-Dsonar.login=$SONAR_TOKEN
'''
}
}
}
}2. Using Script on local/server to run sonar-scanner
Some organizations (mainly early-stage startups) prefer not to implement the SonarQube stage in CI/CD pipeline or if you want to run a SonarQube one time or monthly on each repository, then, you can write a Python or Bash script that will use the below command to run a SonarQube scan on all repositories. This is not a good way to use the SonarQube.
Clone All Repository on Local/server Environment -> Run sonar-scanner on each repository
sonar-scanner \
-Dsonar.projectKey=$repository-name \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarqube.example.com/ \
-Dsonar.token=$sonar_token3. Using Github workflow
Sonar Scanner can be invoked using a GitHub workflow by adding a separate sonarqube.yml file to each repository in the .github/workflows/ directory. Using this workflow, SonarQube can be invoked during pull requests also.
If SonarQube server is only accessible under VPN, you can use below method:
- By using github runner: You have to use the OpenVPN key in GitHub Actions to first connect to the VPN, after which the SonarQube scan will be executed.
name: SonarQube Analysis
on:
push:
branches:
- master
- main
jobs:
sonar:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install OpenVPN
run: sudo apt-get install -y openvpn
- name: Connect to VPN
run: |
echo "${{ secrets.VPN_CONFIG }}" > vpnconfig.ovpn
sudo openvpn --config vpnconfig.ovpn --daemon
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: "https://sonarqube.example.com"
with:
args: >
-Dsonar.projectKey=<repo-name>
-Dsonar.organization=org-name
-Dsonar.sources=.If SonarQube server is public then remove the Connect to VPN job from the above action.
2. By Using self hosted runner: You have to host a runner in your cloud environment, ensuring that the SonarQube server is reachable from the self-hosted runner.
name: SonarQube Analysis
on:
push:
branches:
- master
- main
jobs:
sonar:
runs-on: self-hosted
steps:
- uses: actions/checkout@v3
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: "https://sonarqube.example.com/"
with:
args: >
-Dsonar.projectKey=<repo-name>
-Dsonar.organization=org-name
-Dsonar.sources=.Note: Don’t forget to use sonar scanner based on the type of project, above example is for projects based on — JS, TS,Go, Python, Php e.t.c
Thanks for reading. Do clap and share if you like. Sayonara and Happy Hacking!
Twitter: 7he_unlucky_guy
Linkedin: Vijeta
