Thank you for sending your enquiry! One of our team members will contact you shortly.
Thank you for sending your booking! One of our team members will contact you shortly.
Course Outline
1. Concepts and Scope of Static Code Analysis
- Definitions: static analysis, SAST, rule categories and severity levels.
- The scope of static analysis within secure SDLC and risk coverage.
- How SonarQube integrates into security controls and developer workflows.
2. SonarQube Overview: Features and Architecture
- Core services, database, and scanner components.
- Quality Gates, Quality Profiles, and best practices for Quality Gates.
- Security-related features: vulnerabilities, SAST rules, and CWE mapping.
3. Navigation and Use of the SonarQube Server UI
- Server UI tour: projects, issues, rules, measures, and governance views.
- Interpreting issue pages, traceability, and remediation guidance.
- Report generation and export options.
4. SonarScanner Configuration with Build Tools
- Setting up SonarScanner for Maven, Gradle, Ant, and MSBuild.
- Best practices for scanner properties, exclusions, and multi-module projects.
- Generating necessary test data and coverage reports for accurate analysis.
5. Integration with Azure DevOps
- Configuring SonarQube service connections in Azure DevOps.
- Adding SonarQube tasks to Azure Pipelines and PR decoration.
- Importing Azure Repos into SonarQube and automating analyses.
6. Project Configuration and Third-Party Analyzers
- Project-level Quality Profiles and rule selection for Java and Angular.
- Working with third-party analyzers and the plugin lifecycle.
- Defining analysis parameters and parameter inheritance.
7. Roles, Responsibilities, and Secure Development Methodology Review
- Segregation of roles: developers, reviewers, DevOps engineers, and security owners.
- Constructing a roles and responsibilities matrix for CI/CD processes.
- Review and recommendation process for an existing secure development methodology.
8. Advanced: Adding Rules, Tuning, and Enhancing Global Security Features
- Using the SonarQube Web API to add and manage custom rules.
- Adjusting Quality Gates and automated policy enforcement.
- Hardening SonarQube server security and access control best practices.
9. Hands-on Lab Sessions (Applied)
- Lab A: Configure SonarScanner for five Java repositories (Quarkus where applicable) and analyse results.
- Lab B: Configure Sonar analysis for one Angular front-end and interpret findings.
- Lab C: Full pipeline lab—integrate SonarQube with an Azure DevOps pipeline and enable PR decoration.
10. Testing, Troubleshooting, and Report Interpretation
- Strategies for test data generation and coverage measurement.
- Common issues and troubleshooting scanner, pipeline, and permission errors.
- How to read and present SonarQube reports to technical and non-technical stakeholders.
11. Best Practices and Recommendations
- Rule set selection and incremental enforcement strategies.
- Workflow recommendations for developers, reviewers, and build pipelines.
- Roadmap for scaling SonarQube in enterprise environments.
Summary and Next Steps
Requirements
- A solid understanding of the software development lifecycle.
- Experience with source control and basic CI/CD concepts.
- Familiarity with Java or Angular development environments.
Audience
- Developers (Java / Quarkus / Angular)
- DevOps and CI/CD engineers.
- Security engineers and application security reviewers.
21 Hours
Testimonials (1)
Engaging, and hands on practise.
