Scan Source Code using Static Application Security Testing (SAST) with SonarQube, Part 1

Short-URL: http://ibm.biz/sonarqube-lab

(Note: this tutorial was updated on Dec 30, 2022. Changed include among other replacing docker by podman, removing Skills Network Theia sandbox, which is no longer freely available)

Security can be an intimidating topic to beginners. True, some parts of security are really advanced and hard, but there are also a few very simple but critical best practices to follow to secure your application. One of those is to include a security tool in your DevOps pipeline to automatically scan for vulnerabilities in your code, each time the code is build. OpenSCAP is one such project and SonarQube is another. Such a code scan is part of what is called Static Application Security Testing (SAST).

SonarQube is a leading open source automatic code review tool to detect bugs, vulnerabilities and code “smells” in your code. To build and run secure microservices and applications in an agile development and release process, it is important to fully automate security testing of your application with Application Security Testing or AST.

You can roughly distinguish three to four forms of Application Security Testing (AST):

• Static Application Security Testing (SAST) does an…