Key Results
- Game-changer for developers
- Code coverage for 100% of projects
- Reduced operational costs
- Increased developer productivity
- Faster development lifecycles
- Cross-team project tracking
- Reduced risk of security breaches
About ZEISS
ZEISS is an internationally leading technology enterprise operating in the optics and optoelectronics industries and is a local partner to the semiconductor, automotive, and mechanical engineering industries, biomedical research, and medical technology. ZEISS is also a leading manufacturer of eyeglass lenses and binoculars and has long been renowned for its motion picture lenses.
Challenge:
Carl ZEISS AG (ZEISS) faced a significant challenge: ensuring the security and quality of their applications, which contained a substantial amount of open-source components. Prior to implementing SonarQube Server, ZEISS had been relying solely on dynamic application testing tools for security verification, which proved inadequate for several reasons:
- Open-Source Code Visibility: Dynamic testing struggled to provide clear insights into the open-source code integrated within their projects, making it challenging to assess vulnerabilities effectively.
- Time-Consuming Dynamic Testing: The size of specific project dependencies, such as large Node.js projects with extensive node_modules folders, significantly slowed down the dynamic testing process. These oversized projects caused pipeline delays, affecting the overall efficiency of their development cycles.
- Code Quality Issues: ZEISS also encountered security flaws within their proprietary code. Without a static analysis tool, problems like hardcoded passwords went undetected until later stages in the Software Development Life Cycle (SDLC).
Recognizing these issues, ZEISS began searching for a comprehensive, cross-language static analysis tool to complement their dynamic testing efforts and offer broader visibility into code vulnerabilities and quality.
Solution:
After evaluating several options and running a proof of concept with the Community Build of SonarQube Server, ZEISS decided to implement the SonarQube Server Enterprise Edition. This decision was primarily driven by the following factors:
- Security and Code Quality: SonarQube Server provided extensive static analysis capabilities, allowing ZEISS to catch vulnerabilities and ensure adherence to coding standards from the early stages of development. Catching issues further left in the SDLC was critical for preventing issues like leaking hardcoded credentials and releasing security misconfigurations.
- Flexibility and Ease of Use: The ease of integration with their existing DevOps tools (Azure DevOps and GitHub Actions) and the flexibility of using SonarQube for IDE in Integrated Development Environments (IDEs) like Visual Studio Code proved to be game-changing for developers. The tool seamlessly fit into their workflows, offering real-time code analysis, which helped developers catch and address issues as they coded.
- Enterprise-Level Features: SonarQube Server Enterprise Edition enabled ZEISS to manage their multiple projects more effectively, allowing them to analyze code across all of their projects. They were able to use SonarQube Server to identify large monolith projects which helped the organization decide which projects to refactor into microservices. The platform’s exclusion features also allowed ZEISS to tailor scans based on project-specific requirements, ensuring focused and efficient analysis.
- Open-Source Code Insights: By leveraging SonarQube Server’s static analysis project summary, ZEISS was able to flag components with open-source packages that had potential licensing issues and security vulnerabilities early in the development process.
- Branch and Pull Request Analysis: SonarQube Server’s support for branch analysis and pull request analysis allowed ZEISS to implement a more efficient code review process and track project activity across teams. This feature ensured that all code changes were scanned for issues before they were merged into production, further improving the quality and security of their applications.
Key Results:
The implementation of SonarQube Server resulted in several positive outcomes for ZEISS:
- Improved Security and Code Quality: SonarQube Server helped ZEISS identify and address vulnerabilities, particularly those within open-source components, far earlier in the development process. Catching these issues in code reduced the risk of security breaches in their applications and ensured adherence to coding best practices.
- Faster Development Cycles: The introduction of static analysis with SonarQube Server significantly reduced the time spent on dynamic testing. ZEISS avoided delays caused by analyzing large project folders and instead caught issues during the coding phase, speeding up their pipelines and their time to market.
- Efficient Resource Management: SonarQube Server provided visibility into project sizes and unnecessary dependencies, which led ZEISS to refactor some of their larger monolith projects into microservices. This not only optimized their software architecture but also reduced operational costs associated with long pipeline executions and cloud deployments.
- Better Developer Productivity: By integrating SonarQube Server with their DevOps platforms (Azure DevOps and GitHub Actions), developers gained real-time feedback on their code quality and security issues, allowing them to fix problems during the coding phase. Quality gates that present clear pass/fail results in the DevOps pipeline reduced the number of bugs and security flaws reaching production.
- Actionable Insights and Portfolio Management: As ZEISS continues to expand their use of SonarQube Server, they plan to leverage the portfolio management capabilities to better organize and oversee their numerous projects. This will provide a more structured approach to managing their vast codebase and allow for better reporting and decision-making across their development teams.
Conclusion:
By adopting SonarQube Server, ZEISS successfully bridged the gap between dynamic testing and static analysis, enhancing both the security and code quality of their apps. The flexibility and enterprise-level features of SonarQube Server allowed ZEISS to integrate it seamlessly into their existing developer workflow, improving developer productivity and optimizing software development cycles.