How to start Static Application Security Testing(SAST) with SonarQube?
In practice, I have used different SAST solutions, and in my opinion, one of the best is Sonarqube. The advantages are: supports multiple programming languages, have different plugins that can increase the coverage, integration possibilities, and of course, a free community version. In this article, I will describe how to install and launch scanning with SonarQube on MacOS.
Open your console and run the commands below to install sonar and sonar-scanner:
brew install sonar
brew install sonar-scanner
2. Run Sonar
Open your console and run the following command to run Sonar:
- sonar console
After successful launch, open http://localhost:9000 . Use the default credentials(admin/admin) to Login.
3. Create new Project
- Open Projects tab > Add project > Manually > Write “Project key” > Set Up
- Enter a name for your token > Generate > Continue
- Select the “technology” and “OS”
3. Launch the scan
- For the test, I chose and downloaded the well-known vulnerable application juice-shop( https://github.com/bkimminich/juice-shop)
- Open console > Navigate to the project folder > Execute the command from the “Execute the Scanner from your computer” part
- The scan ended
- Open http://localhost:9000/projects > Open your project
- Open the “Security Hotspots” > Review the findings
- Install Sonarlint and use it with your favorite IDE(IntelliJ IDEA, Visual Studio, etc.): https://www.sonarlint.org/
- GitLab CI/CD Integration: https://docs.sonarqube.org/8.5/analysis/gitlab-cicd/
- Plugins Marketplace: https://www.sonarplugins.com/