-
How to Easily Download and Configure SonarScanner CLI on Windows
SonarScanner CLI is the scanner to use when there is no specific scanner for you Build System. Please note that SonarScanner CLI does not officially support ARM architecture. To download the SonarScanner CLI you can visit the below site. https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner once you open the link you will find various versions of scanner based on the…
-
What is Code Coverage and How SonarQube Helps You Get It Right
When you’re developing software, writing clean, reliable, and maintainable code is just as important as getting the app to run. That’s where code coverage comes into play—a vital metric that tells you how much of your code is being tested. But it’s not just about hitting high percentages; it’s about making sure your tests actually…
-
GitHub Code Scanning Using Third-Party Actions
GitHub’s code scanning helps identify vulnerabilities and errors in your codebase, and while CodeQL is a powerful built-in option, you can also integrate third-party tools for a tailored approach. Configuring code scanning with third-party actions allows you to leverage tools like SonarQube, Checkmarx, or Trivy within GitHub Actions workflows. By uploading results in SARIF format,…
-
Code Security with GitHub Code Scanning and CodeQL Custom Queries
For this blog, we’ll enhance the advanced setup in our Instance-Security repo (a Java/Maven project) by creating a custom query pack to test CodeQL’s flexibility. If you haven’t explored our blog on Code Scanning with Advanced CodeQL Setup, we strongly recommend checking it out first, as it’s a prerequisite for following along with this blog.…
-
Understanding Static Application Security Testing (SAST)
As security continues to take center stage in the software development lifecycle, developers and organizations alike are integrating security checks earlier in the process. This shift is known as “shifting left”, and one of the best tools in that arsenal is Static Application Security Testing (SAST). In this blog post, we’ll break down the fundamentals…
-
Complete Guide to Installing SonarQube on Windows with External PostgreSQL Database
In this blog I will be showcasing the SonarQube server installation and setting-up an external PostgreSQL Database to it. There are some pre-requisites for installing SonarQube Server and you can follow the below documentation link for the same. https://docs.sonarsource.com/sonarqube-server/latest/setup-and-upgrade/installation-requirements/server-host You can download the SonarQube server from the below link. https://www.sonarsource.com/products/sonarqube/downloads/?_gl=1*9fb3el*_gcl_au*OTQ0MzM2Nzc2LjE3NDQwMTg4NTc.*_ga*OTk2NDQ3NDUzLjE3NDQwMTg4NTg.*_ga_9JZ0GZ5TC6*MTc0NDE3NTc2Ny4zLjEuMTc0NDE4MTg5NC41MS4wLjA. Once you click on the…
-
From Zero to SonarQube with Docker Desktop in Under 10 Minutes
In this blog I will be showcasing how to easily setup SonarQube server using docker. Here I will be using docker desktop version with WSL 2 backend. Firstly, I will be creating a network for sonar, which will be a isolated network and can be used for sonar related services. Here I will be running-…
-
DevSecOps
Made SimpleIn today’s fast-paced digital world, organizations are racing to develop, deploy, and scale software rapidly. DevOps has become the go-to methodology for accelerating this process. But speed without security is risky — and that’s where DevSecOps comes in. What is DevSecOps? DevSecOps stands for Development, Security, and Operations. It’s the practice of integrating security at…
-
Code Security with GitHub Code Scanning and Advanced CodeQL Setup
Advanced setup for code scanning is ideal when you need a tailored approach to securing your codebase. By crafting and modifying a workflow file, you can customize the scanning process extensively.
-
Code Scanning with GitHub and CodeQL
What is Code Scanning? Code scanning is a GitHub feature designed to help developers identify security vulnerabilities and coding errors in their projects before they become bigger problems. It analyzes your code automatically, flags potential issues like SQL injection or cross-site scripting (XSS), and displays them as alerts right in your repository. Picture it as…