SonarQube: How to run Static Code Scanning?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will learn how to launch a static code scan using sonar cube so to get started sonar cube is an open source tool widely used to scan static code for bugs and vulnerabilities so sonarqube provides a centralized results in a server for better visibility and management so sast which stands for static application security testing this is actually an automated test that is performed on your source code preferably like before deploying your application into a production environment there are several tools like qualis uh sonar cube and there are many other tools which can perform this test but in this video we will look into one of the most common open source options which is sonar cube to run sonar cube you need a dedicated server running the sonar cube which you see on the screen uh sonarqube and i opened port 9000 and currently i'm in creating the projects so you need a dedicated server running sonar cube and a specific scan scanner is required in your local machine where your code is being developed so it's a client server relationship like your client will be your machine where you're developing your code and your server sonarqube server will be your main server where all your specific scanners they report the data to the server so this scanner sends results to the server does like centralizing all the information and giving access to all the contributors and different uh managers and all you you can give access to specific one so now we will learn how to run a how to scan a project so how you scan your code depends on which framework or the language you are using to develop your code for example some people use gradle some people use ms build maven azure jenkins some people use and so you have to know what plugin is suitable for your framework or the language that you write your code in and you need a spec a specific scanner for example you have your maven code uh you need a maven scanner in order to scan the maven framework for the mavin language or never code so for other languages sonarqube provides a universal sonar scanner um so in our case the sonar scanner is already been downloaded and set up on our desktop machine so we have it already set up on our machine now we will get into little bit of practical stuff on this so we are developing some code we have our php code here for example we want to scan this code this is locally available and you want to scan this code using sonarqube so that's the practical thing that we are going to do and the first thing we have to do is basically create a project inside sonarqube this will be like a centralized project so it will be collecting the information from the sonar scanner which is installed locally and it will do the static application security test so code scan so we'll display the project we'll call it uh technology first and the project key is a unique identifier for the project so it it can be helpful for us to do the api calls um to sonar cube in order to do it using project key so we'll set this up now we have our project setup so what we're going to do is we can use a ci cd mechanism to to analyze the code or you can also analyze using your repository for example you have your github you can do it and if you're using azure pipelines you can integrate this into your azure pipeline with gitlab ci jenkins widely used you can do that but here in our case we are going to do it manually so what we are going to do is basically we will enter a name for the token and we will generate the token so this is our token we'll keep a track on this token and we can continue so what we are doing is basically run a type of an analysis so as you remember we we have our code which is built in php so what we're going to do is basically select the other tab and on which operating system you want to test this code on which will be your linux and this is basically your uh sonar scanner command that you use to execute the scanner so what you do is you copy this and you can open the command line now what we need to do is basically we need to go to that directory where we have the code so this is where we have the code and what we need to do is just run this particular code what this does is basically it's setting the sonar project key which we have and the login you remember the token that we generated so that's the official token so you just need to execute the following commands in your projects folder so let's copy this and execute so it loads the plugins that are required to scan the project and all your details will be coming back to your project click if you see your project here you have one project which is called technology first and if you go to that project and if you go to the issues uh yeah it will be available once uh the scan gets completed but as of now the scanning is running and it's it will identify whatever the vulnerabilities and bugs it will it will find so that completes the scan now it provides us that analysis is successful you can browse the dashboard now so you see all conditions have passed on on this particular one but it reported around 594 bugs zero vulnerabilities some security hotspots and whatever the due duplication of code it also does the code quality analysis so it identifies the deduplications and duplicated blocks so this is the overall code scan and how we do the projects so basically you can you have an option to directly integrate with your ci cd pipelines you have your option to run it locally and you can also do a repository based scans so i hope this video is informative i hope you learned something about sonarqube this is a one of the widely used static application security testing as well as code scanning tool widely in the market so i hope this video is informative stay tuned for more videos and thank you very much for watching it till the next video happy learning

Info

Channel: TechnologyFirst

Views: 32,241

Rating: undefined out of 5

Keywords: SCA, Static Code Scan, Scanning, Application Security, Qualys, SonarQube, DevSecOps, DevOps, Security

Id: ezMqyPbwxn4

Channel Id: undefined

Length: 8min 21sec (501 seconds)

Published: Tue Dec 07 2021