Takk for at du sendte din henvendelse! En av våre teammedlemmer vil kontakte deg straks.
Takk for at du sendte din bestilling! En av våre teammedlemmer vil kontakte deg straks.
Kursplan
1. Concepts and Scope of Static Code Analysis
- Definitions: static analysis, SAST, rule categories and severity
- Scope of static analysis in secure SDLC and risk coverage
- How SonarQube fits into security controls and developer workflows
2. SonarQube Overview: Features and Architecture
- Core services, database, and scanner components
- Quality Gates, Quality Profiles, and Quality Gates best practices
- Security-related features: vulnerabilities, SAST rules, and CWE mapping
3. Navigation and Use of the SonarQube Server UI
- Server UI tour: projects, issues, rules, measures, and governance views
- Interpreting issue pages, traceability, and remediation guidance
- Report generation and export options
4. SonarScanner Configuration with Build Tools
- Setting up SonarScanner for Maven, Gradle, Ant, and MSBuild
- Best practices for scanner properties, exclusions, and multi-module projects
- Generating necessary test data and coverage reports for accurate analysis
5. Integration with Azure DevOps
- Configuring SonarQube service connections in Azure DevOps
- Adding SonarQube tasks to Azure Pipelines and PR decoration
- Importing Azure Repos into SonarQube and automating analyses
6. Project Configuration and Third-Party Analyzers
- Project-level Quality Profiles and rule selection for Java and Angular
- Working with third-party analyzers and plugin lifecycle
- Defining analysis parameters and parameter inheritance
7. Roles, Responsibilities, and Secure Development Methodology Review
- Segregation of roles: developers, reviewers, DevOps, security owners
- Constructing a roles & responsibilities matrix for CI/CD processes
- Review and recommendation process for an existing secure development methodology
8. Advanced: Adding Rules, Tuning, and Enhancing Global Security Features
- Using the SonarQube Web API to add and manage custom rules
- Adjusting Quality Gates and automated policy enforcement
- Hardening SonarQube server security and access control best practices
9. Hands-on Lab Sessions (Applied)
- Lab A: Configure SonarScanner for 5 Java repositories (Quarkus where applicable) and analyze results
- Lab B: Configure Sonar analysis for 1 Angular front-end and interpret findings
- Lab C: Full pipeline lab—integrate SonarQube with an Azure DevOps pipeline and enable PR decoration
10. Testing, Troubleshooting, and Report Interpretation
- Strategies for test data generation and coverage measurement
- Common issues and troubleshooting scanner, pipeline, and permission errors
- How to read and present SonarQube reports to technical and non-technical stakeholders
11. Best Practices and Recommendations
- Rule set selection and incremental enforcement strategies
- Workflow recommendations for developers, reviewers, and build pipelines
- Roadmap for scaling SonarQube in enterprise environments
Summary and Next Steps
Krav
- An understanding of software development lifecycle
- Experience with source control and basic CI/CD concepts
- Familiarity with Java or Angular development environments
Audience
- Developers (Java / Quarkus / Angular)
- DevOps and CI/CD engineers
- Security engineers and application security reviewers
21 timer
Referanser (1)
Engasjerende og praktisk øving.
Balavignesh Elumalai - Scottish Power
Kurs - SonarQube for DevOps
Maskinoversatt
