Thank you for sending your enquiry! One of our team members will contact you shortly.
Thank you for sending your booking! One of our team members will contact you shortly.
Course Outline
1. Static Code Analysis: Concepts and Scope
- Key definitions: static analysis, SAST, rule categories, and severity levels
- The role of static analysis in a secure SDLC and managing risk
- How SonarQube aligns with security controls and developer workflows
2. Understanding SonarQube: Features and Architecture
- Core services, database structures, and scanner components
- Quality Gates, Quality Profiles, and best practices for quality gates
- Security capabilities: vulnerabilities, SAST rules, and CWE mappings
3. Navigating the SonarQube Server UI
- Overview of the server interface: projects, issues, rules, metrics, and governance views
- Understanding issue pages, traceability, and remediation instructions
- Options for generating and exporting reports
4. Configuring SonarScanner with Build Tools
- Setting up SonarScanner for Maven, Gradle, Ant, and MSBuild
- Best practices for scanner properties, exclusions, and multi-module projects
- Creating test data and coverage reports to ensure accurate analysis
5. Integrating with Azure DevOps
- Establishing SonarQube service connections in Azure DevOps
- Integrating SonarQube tasks into Azure Pipelines and implementing PR decoration
- Importing Azure Repos into SonarQube and automating analysis processes
6. Project Configuration and Third-Party Analyzers
- Defining Quality Profiles and rule selections for Java and Angular at the project level
- Utilizing third-party analyzers and managing the plugin lifecycle
- Setting analysis parameters and understanding parameter inheritance
7. Roles, Responsibilities, and Secure Development Methodology Review
- Delineating roles among developers, reviewers, DevOps teams, and security owners
- Creating a roles and responsibilities matrix for CI/CD processes
- Reviewing and recommending enhancements to existing secure development methodologies
8. Advanced Topics: Adding Rules, Tuning, and Enhancing Global Security
- Using the SonarQube Web API to add and manage custom rules
- Modifying Quality Gates and enforcing automated policies
- Best practices for hardening SonarQube server security and access controls
9. Practical Lab Sessions
- Lab A: Configuring SonarScanner for 5 Java repositories (including Quarkus where relevant) and analyzing results
- Lab B: Setting up Sonar analysis for an Angular front-end application and interpreting findings
- Lab C: Comprehensive pipeline lab—integrating SonarQube with an Azure DevOps pipeline and enabling PR decoration
10. Testing, Troubleshooting, and Report Interpretation
- Strategies for generating test data and measuring code coverage
- Addressing common issues and troubleshooting scanner, pipeline, and permission errors
- How to interpret and present SonarQube reports to both technical and non-technical audiences
11. Best Practices and Recommendations
- Selecting rule sets and implementing incremental enforcement strategies
- Workflow recommendations for developers, reviewers, and build pipelines
- Strategies for scaling SonarQube in enterprise environments
Summary and Next Steps
Requirements
- Knowledge of the software development lifecycle
- Experience with version control and foundational CI/CD concepts
- Familiarity with Java or Angular development environments
Target Audience
- Developers (Java / Quarkus / Angular)
- DevOps and CI/CD engineers
- Security engineers and application security reviewers
21 Hours
Testimonials (1)
Engaging, and hands on practise.
