Azure DevOps — Sonar Cloud
What is Static Application Security Testing? (SAST)
Static analysis is a testing method that analyzes code to find vulnerabilities in organizations’ applications. SAST scans the application before the code is compiled. It is known as white box testing.
It is the process of scanning source code for vulnerabilities in the early stages of development (SDLC). This helps catch and fix potential security issues before they progress.
SAST solutions analyze an application from the “inside out”. Ignoring security when writing code can lead to big problems. SAST mitigates security risks in your applications by instantly detecting issues that arise in your code during development and providing feedback to developers.
As developers, we all want to improve our security while working, right? SAST does just that. It gives you real-time suggestions and makes it easy to navigate through lines of code. So you can discover vulnerabilities faster and collaborate to resolve them. This way, we can write less vulnerable and more secure code. Developing a more secure application means less need to constantly update and modernize your application and software.
In summary, SAST is not only a security tool, but also a tool that makes your code writing process more efficient and secure.
Why is SAST important?
SAST (Static Application Security Testing) provides significant cost and time savings by identifying security vulnerabilities early in the software development process.
- Faster time to market
- Cost savings
- Quality code
- Strong cooperation
Shift left, the DevOps extension that considers security as a vital component, we know that DevSecOps is a vital element. It is crucial to ensure that security controls are continuously enforced by providing automated and continuous testing.
It is always worth repeating;
The security is directly proportional to the awareness of the organization.
What is SonarQube?
As an open source platform, SonarQube is a great tool to help you manage your code quality, security and maintainability.
So, what can you do with SonarQube?
SonarQube performs static code analysis to improve the quality of your code. This way you can easily identify quality issues and bugs in your code. It also takes into account important metrics such as code repetitions and coverage percentage. This gives you a clear picture of how much of your code has been tested and where you need to make improvements.
When it comes to security, SonarQube is here too. It helps you improve security by detecting vulnerabilities and inappropriate code patterns in your code. Thus, your projects become more robust and secure.
With these tools and services from SonarQube, you can continuously review and improve your code quality and develop more sustainable projects.
We know how important quality is in coding. With SonarQube, it is much easier to maintain and improve this quality. Let’s build a SAST pipeline on Azure DevOps together.
How to Integrate Azure Pipeline, Unit testing and SonarCloud?
I will try to explain these steps to you one by one. Now let’s first create a SonarCloud account. After opening your account, let’s log in. https://www.sonarsource.com/products/sonarcloud/signup/
Let’s create a new organization with the Create new organization option.
Let’s enter the names of our related project here. At the plan stage, I will use the free version. If you wish, you can continue with the paid plan option. After selecting the option, the analyze project screen will confuse us.
We also fill in the required fields here. If you want a private project scan. I recommend you to read the pricing page carefully here. Let’s continue with the next step with Create Project.
Now let’s examine the Azure DevOps steps to integrate our project.
If you are signing up for Azure DevOps for the first time. You may not have free agent rights. So if you fill out the relevant form https://aka.ms/azpipelines-parallelism-request. After a few days you will be entitled to free agent (1800min). I have done these parts before; if you have done them too, you can skip this step.
Let’s first integrate our project into the azure repo. You can add your own project. You can also continue on my project if you wish.
Then let’s create a pipeline by coming to the pipeline option on azure devops. We will create a modular structure here. So let’s first examine our sonar-sast-scan.yml file.
parameters:
sonar_organization: ''
sonar_projectKey: ''
sonar_projectName: ''
sonar_projectVersion: ''
sonar_sources: ''
sonar_reportPaths: ''
sonar_X: ''
sonar_language: ''
sonar_eslintconfigpath: ''
jobs:
- job: Sonar_SAST_Scan_Job
steps:
- task: SonarCloudPrepare@1
displayName: 'Prepare SonarCloud analysis'
inputs:
SonarCloud: 'SonarCloud'
organization: $(sonar_organization)
scannerMode: 'CLI'
configMode: 'manual'
cliProjectKey: $(sonar_projectKey)
cliProjectName: $(sonar_projectName)
cliSources: 'backend'
extraProperties: |
sonar.sourceEncoding=UTF-8
sonar.sources=$(sonar_sources)
sonar.javascript.lcov.reportPaths=$(sonar_reportPaths)
sonar.X=$(sonar_X)
sonar.language=$(sonar_language)
sonar.eslint.eslintconfigpath=$(sonar_eslintconfigpath)
continueOnError: true
- task: SonarCloudAnalyze@1
displayName: 'Run SonarCloud Analysis'
inputs:
organization: $(sonar_organization)
scannerMode: 'CLI'
projectKey: $(sonar_projectKey)
projectName: $(sonar_projectName)
projectVersion: $(sonar_projectVersion)
configMode: 'file'
- task: SonarCloudPublish@1
inputs:
pollingTimeoutSec: '300'Let’s take a closer look at the pipeline. Some parameters are entered in the yaml file and we will get them dynamically. Before focusing on this part, let’s see what the tasks do.
SonarCloudPrepare: This task prepares the project configuration required for analysis to SonarCloud. It configures the project settings and starts the analysis of the project.
SonarCloudAnalyze: This task analyzes the code of your project and sends it to SonarCloud. It generates reports on code quality, vulnerabilities, code coverage, duplicates in code and many other metrics.
SonarCloudPublish: This task publishes and visualizes SonarCloud analysis results. It provides a report showing the results of the project analyzed in SonarCloud.
Now let’s write the yaml file where we will place the variable we obtained from the SonarCloud side.
variables:
- name: sonar_organization
value: 'medium-test-key'
- name: sonar_projectKey
value: 'medium-test-key_project1'
- name: sonar_projectName
value: 'project1'
- name: sonar_projectVersion
value: '1.0'
- name: sonar_sources
value: 'backend/src'
- name: sonar_reportPaths
value: 'backend/src/coverage/lcov.info'
- name: sonar_X
value: 'backend/src/test-report.xml'
- name: sonar_language
value: 'js'
- name: sonar_eslintconfigpath
value: 'src/eslintrc.json'
- name: summaryFileLocation
value: '$(System.DefaultWorkingDirectory)/backend/src/coverage/clover.xml'After integrating the first part of your project, I would like to talk about the code coverage part here. If you have done unit testing in your project, it will be useful to integrate this part. So let me first show you how this part is done. You can run unit tests with Jest in a NodeJs backend development.
I want you to know that this will affect the coverege metric on sonarqube. Let’s see how we do the first build part first. You can proceed without these parts if you wish.
parameters:
node_version: ''
jobs:
- job: Install_NodeJS
steps:
- task: NodeTool@0
inputs:
versionSpec: $(node_version)
displayName: 'Install Node.js'
displayName: "Install Node.js in WP DevSecOps Pipeline"variables:
- name: node_version
value: '18.x'Since I want to create a modular structure, we can add them to our project as two different files. If you are not continuing with my project, the steps of SonarCloud integration are the same for each project. You can continue in this way.
The Final Step
After this part, we have created the pipeline in a modular structure. Now let’s collect them in a main yaml file.
trigger:
- main
pool:
vmImage: ubuntu-latest
variables:
- template: junit/junit-variables.yml
- template: sast/sonar-sast-variables.yml
- template: build/node/node-variables.yml
stages:
- stage: Install_NodeJS
jobs:
- template: build/node/node-install.yml
parameters:
node_version: $(node_version)
- stage: Junit_Code_Coverage_Result
jobs:
- template: junit/code_coverage_backend.yml
parameters:
summaryFileLocation: $(summaryFileLocation)
- stage: SonarCloud_SAST_Scan
jobs:
- template: sast/sonar-sast-scan.yml
parameters:
sonar_organization: $(sonar_organization)
sonar_projectKey: $(sonar_projectKey)
sonar_projectName: $(sonar_projectName)
sonar_projectVersion: $(sonar_projectVersion)
sonar_sources: $(sonar_sources)
sonar_reportPaths: $(sonar_reportPaths)
sonar_X: $(sonar_X)
sonar_language: $(sonar_language)
sonar_eslintconfigpath: $(sonar_eslintconfigpath)As a result, the pipeline is ready to run. But we will get an error. Let’s solve this problem. We registered to sonarcloud. We created pipeline but we got error because we didn’t make service connection.
Now let’s solve this situation. Let’s go to Azure project settings. We will create a service connection for SonarCloud.
Let’s go back to the cloud side. Using the security section under My Accound option, we will create a token here.
After creating the token, let’s come to the service connection section from the Azure DevOps section again.
Complete the relevant connection. Let’s run the pipeline again and observe the results. In addition, if you install SonarCloud extension from Microsoft storage. You can also view the pipeline results through DevOps.
Basically, I tried to explain a SAST analysis tool and how it integrates with unit testing.
In my next article, we will combine SAST and CAST tests and improve our DevOps pipeline.
Project link: https://github.com/ramazanakkulak/ADO-SecOps
