The SonarQube Server 9.9 LTS brought many new features dedicated to helping you deliver Clean Code day after day. A lot of that functionality is centered around cloud native technologies including Infrastructure as Code (IaC).
This article offers an overview of these benefits along with links so you can learn more about the features that interest you.
SonarQube Server 9.9 LTS supports the following cloud native technologies:
- Terraform for AWS, GCP, Azure
- AWS CloudFormation (yaml or json)
- Kubernetes
- Docker
Many of the cloud native based rules in v9.9 are security focused in the following areas:
- S3 Buckets (Community Announcement)
- Permissions (Community Announcement)
- Encryption at Rest (Community Announcement)
- Encryption at Transit (Community Announcement)
- Traceability
Feature: Detect insecure configurations in your AWS CDK code
If you are describing your AWS infrastructure with the AWS CDK for Python or JavaScript/TypeScript, SonarQube Server 9.9 LTS will detect insecure configurations in the following domains:
Python
- S3 Buckets (Community Announcement)
- Encryption at Rest and at Transit (Community Announcement)
- Permissions + Traceability (https://www.sonarqube.org/sonarqube-9-7/)
Node.JS
- S3 Buckets
- Encryption at Rest and at Transit (available since Nov 2022)
- Permissions + Traceability (available since Nov 2022)
Feature: Detect injection vulnerabilities in your AWS Lambdas
AWS Lambdas can be the entry point of injection attacks. SonarQube Server v9.9 relies on the same Sonar Taint Analyzer engine used to find injection vulnerabilities in web applications to detect if some malicious inputs are injected in the entry points of AWS Lambdas written in Python or JS/TS. Serverless and SAM frameworks are supported.
JavaScript (Community Announcement)
Python (Community Announcement)
Feature: Detect Code Quality issues in all your Python and JavaScript/TypeScript code
Finding and fixing vulnerabilities to keep your users safe is super important and it’s also important to keep your codebase squeaky clean. SonarQube Server v9.9 includes hundreds of rules designed to find bugs and code smells in all your Python and JS/TS projects. These same rules are executed in the context of cloud native code so ALL of your source and test code is kept in a Clean Code state.
The projects making up your cloud native apps likely combine code from many popular languages used today including Java, Go and Python. In all, SonarQube Server v9.9 can detect quality and security issues in over 30 languages, frameworks and cloud technologies. With Sonar, you get a complete, reliable Clean Code solution for all the projects in your organization.
Feature: Detect secrets/tokens in major cloud providers
Lastly, SonarQube Server detects secrets and tokens accidentally left in your cloud-based code before they make it out into the wild and into malicious hands.
Clean Code for the Win!
Join the clean code movement, be intentional with the quality of your codebase and take pride in delivering cloud native apps in a safe, sustainable way.
Thanks for reading and happy, clean, cloud native coding!
Pick a topic to discover more: