Azure DevSecOps | Integrate Sonarqube with Azure Pipeline to run Static Code Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello my name is shalanda chaudhary and in this video i'll show how to integrate sonar cube with azure pipeline to run static code analysis so let's start with what is sonar cube sonar cube is an open source tool which does the automatic review of the code it is available in community edition which is free and the paid version so if we'll talk about the community version it has multiple features as you can see on your screen it can do the static code analysis for more than 25 programming languages it can detect the bug and the vulnerabilities in the bug detection it actually finds the quality of the code too and in the vulnerability there are multiple type of vulnerabilities like high risk vulnerability or the low risk vulnerabilities in the case of code smell tracking it checks whether the good coding practices has been performed or not for security hotspotted checks whether a particular code block can have a security concern for technical debt project maintainability is checked and similarly the code quality metrics and different histories are shown and the community version can integrate with the ci cd pipelines and it has extensions and multiple plugins for most of the famous pipelines available so this is the sonar cube dashboard where you can see the bugs vulnerabilities security hotspots and what's the debt as well as the code smells if we'll click on a particular code smell then it will show all the issues which are there now in the demo i'll show how to integrate sonar cube with the azure yaml pipeline then i'll show the analysis in the sonarcube dashboard so let's start so i have created one server where i have installed the sonar cube and it's all ready i have logged it into sonar cube and this is the first step is coming there is no project right now so we'll just create a project from azure devops sonar cube integration we'll give the name now we have to provide the devops url so let's go to the devops this is the devops url this is the organization name live challenge i'll provide the devops url now and i have to create a personal access token which i have already created you can create it by clicking on the user go to the security and create personal access token i have already created for the sonar token so let me fetch it so i'm providing the token here and save configuration let's provide the token again and list repos so now as you can see there are two projects available terraform devops and the youtube app service so this is the one which we'll be using set up the repository and we want to integrate it with the ci cd pipeline so let's click on this so first of all we have to install the sonar cube extension for devops so if i'll go here click on this marketplace you can see the marriage extension right now sonar cube extensions is already installed by me but if we'll browse marketplace if you write sonarqube you can see there is an extension of sonarqube you have to click on get it free and it will be installed so for me it's already installed so let's check the next step we have done this now in the project settings we have to create a service connection for the sonar cube so let's go to the project settings let's go to this project project settings service connection create a new service connection search persona next look for server url which you can find here then the token generate a new token generate provide the new token here and the service connection name sonar billboard and grant access to all the pipelines and save so now a new service connection is created let's continue and now we have to provide which programming language are we using for the code analysis so in this case we are using dotnet if i'll quickly go to my github web apps on our test is the github repo which i have created i have created a very basic and sample application using visual studio so if you'll go to the visual studio create a new project and asp.net core web application i've selected i'll give the name any name i'll not create it this is already done by me so i have uploaded in the repo so i'm just showing how i created it let's create and then select the web application and this is how i created a dotnet web application we don't need to do so the project file sln file and all the web files are present here so let's go back and we'll choose the dotnet here and these are the steps which are provided to create the pipeline so let's start by creating a pipeline now we'll go to the pipeline let's create a new pipeline so our repository is present in github so i'll choose the github now so we are going to use the web apps on our test let's click on this and it's asp.net core project so let's click on it so most of the steps are created here the trigger is the master pool is vm image so it's as your self-hosted agent which we are using the windows agent for the variable it's looking for sln if i go to the github sl is present in the main folder itself so let's change this we don't want to look inside this is the only change then steps there are multiple steps it's installing the new get then it's running the command then it's building vs build its visual studio build then it's testing so this is just the build step what we want to do is we want to create three steps first is build step along with the sonar testing step then we'll add approval step staging approval because where we want to check if the code analysis is correct then we want to approve it otherwise we'll deny it and the third one is deployment to app services so here it's directly mentioned the steps but i would like to create the jobs then there will be three different jobs so let's create jobs job first one is build job and all the steps will come under it so now if you follow the sonar steps it's mentioned that first we have to create a pipeline and before the build task we have to run the prepare analysis configuration so let's run this step so this is the build step before the build step let's add this prepare analysis configuration will use the end point which is which we have created and integrate with ms build and the project key we have to provide so you have to choose integrate with ms build and this is the project key so let's provide the project key and add the step is added let's check another step add a run code analysis after the build task so we have to run this task after build so we are after the build task let's look for it run code analysis it's added and the third task is publish quality gate results into the sonar cube we'll give the default timer and it's added so now all the steps for the build are added now what this will do is this will publish all the analysis into the sonar dashboard so we have done this finish this tutorial and it's waiting for the first analysis to come in but before this let's add a few more steps let's add the approval step because we don't because we don't want to publish anything till we check the dashboard so waiting approval i'll give the name and it depends on the build step let's copy the name from there we have to define the pool as the server because it's running on the self-hosted server and timeout timer in minutes i'll give 1000 minutes so let's define the steps now and in the task in the task i'll file the manual validation let's give the manual validation so i want my email id to be notified time outreach please check sonar why did this step now and the final step will be deploying to app service deploy step which depends on the waiting approval step sorry my bad the spelling mistake let's add the task of web app so this is the service connection app type will be on windows let's select the web app too and add sorry before that we have to add the steps and it's done so now first it's installing the packages like nougat package and preparing the sonar cube then it will run the build then the sonar cube analysis will run and it will publish the analysis into the sonarqube dashboard and once that is done the vs test will happen whether it's fine or not the pipeline will wait for the approval for 1000 minutes if i'll approve then it'll move to another step where it'll deploy to the azure app service i forgot one step here which is publishing the build which means it will create a zip file of the build and later we'll deploy the zip file into the app service so let me add that step dot net co it's a publish step project web file it's added so now it will publish first build will happen so now i will upload everything then it will publish a zip file will be created then it will wait for the approval we can reject or approve and and finally it will deploy to app service let's run this task let's go to the build step other steps are waiting approval and deploy once agent is ready it will start running this is as your hosted agent as you can see the pool is as your pipelines images windows latest it's automatically picking up windows 2019 now the build process is initiated it's downloading all the different tasks and now it's downloading all the files from the repo github repo nuget tool is installed and it's running the nougat command now so now cube is getting prepared now the asp.net application is getting billed the build is complete and next step is static code analysis now the sonar cube will do the static code analysis and in publish step it'll publish everything into the dashboard so let's wait for this to finish the time being if you want to know how to install sonarcube in ubuntu i have created one blog for this so this is my blog where you can see i have provided all the steps how to install and set up the sonar cube you can follow all these steps on ubuntu 20.04 lts and then your dashboard will be ready so all the steps are done for now it's waiting approval as you can see it's in review whether we have to reject or resume and it has four bugs two security hotspots it has debt of one hour 15 minutes and 15 code smells so let's check the bugs so duplicate entries are there unexpected missing generic font family it's not always the real bugs it's the quality issues which can create the bugs same way if we'll talk about the security hotspot it can lead to denial of service attack and it has a medium impact so that's why if you look here all the conditions are passed and for the different code smell it's looking for the good coding practices whether those are being followed or not you can ignore these and in this case we will ignore but if you follow these practices then there will be less issues with the code go to the pipeline resume and manual validation is done and now in the deploy stage the code will be deployed to the azure app service the reason deploy is failed is because it downloaded the repo again into the same folder and now all the files are gone so what we have to do in this case is go back to the pipeline run all the steps again after the approval all the build step and publish step so let's quickly copy those steps so both the packages should be installed we can ignore the sonar cube for now i'll just copy paste and then remove it later and publish i will go to the task i will go to the deploy job in the steps let's copy them here they are copied and we'll remove the sonar cube step because that is already done after that we have approved the pipeline and it should be all good now so let's save run it again i'll fast forward it to the deploy step only so now in this deploy step we have added the build again because all the repositories are getting downloaded again in this so it has initialized the job and it's downloading all the tasks the folder where previously the zip file was published was wiped away because all the files were downloaded again so now we are running the build again and then we'll deploy so now the azure app service is getting deployed it's successfully deployed web package let's go to our app service it's web app too so if you click on the url you can see the welcome sample asp.net web application is deployed so if i'll summarize in this video first we integrated the sonar cube with the azure pipeline where we first ran the build and then run the sonar cube analysis after the build was done there was next job which was to approve the pipeline whether we have to reject it and approve it based on checking the sonar cube dashboard once we approve it we have to run the build again so that we have all the files and then publish to create a zip file and that zip file is uploaded into the azure app service and this is how we deployed the azure app service by doing the static code analysis if there are any vulnerabilities then we have to first fix the vulnerability and will reject the pipeline so this is all for this video please like and subscribe thank you so much

Info

Channel: Shailender Choudhary

Views: 9,108

Rating: undefined out of 5

Keywords: azure, cloud, security, devsecops, devops, asp.net, sca, staticcodeanalysis, sonarqube, sonar, cicd, pipeline, cloudsecurity, cybersecurity

Id: ApMeWoRkv-A

Channel Id: undefined

Length: 19min 34sec (1174 seconds)

Published: Fri Feb 04 2022