Tuesday, August 1, 2023

Configure SonarQube in Azure Container Instances and connect with Azure DevOps pipelines for Static Application Security Testing (SAST)

Static Application Security Testing (SAST) is a type of security testing that analyzes the source code of an application for security vulnerabilities. SonarQube is a popular platform for SAST that provides powerful code analysis tools for identifying security issues in software code.

SAST is an essential part of a DevSecOps process. DevSecOps aims to integrate security into the development process to identify and fix security issues early in the software development lifecycle.

In this article I will illustrate how we can configure SonarQube in Azure and connect it in Azure DevOps pipeline to detect vulnerabilities early in the development stage. 

To organize this article, I will break the workload into two sections.
  1. Configure SonarQube community edition as a container in Azure Container Instances (ACI) with backend as Azure SQL instance
  2. Configure SonarQube in Azure DevOps
Let's start.

Step 1 - Configure Azure SQL database and SoarQube image in ACI

I found this article very useful in configuring with Azure CLI
# Login to Azure environment and select the subscription
az login
az account set --subscription "My Demos"

# Create SQL instance and firewall rules
az sql server create --name srv-sql-sonarqube --resource-group rg-sonarqube --location australiaeast --admin-user sonar --admin-password [Password]
az sql server firewall-rule create --resource-group rg-sonarqube --server srv-sql-sonarqube -n AzureServices --start-ip-address --end-ip-address

# Create the database in SQL instance
az sql db create --resource-group rg-sonarqube --server srv-sql-sonarqube --name sonarqubeDb --service-objective S0 --collation SQL_Latin1_General_CP1_CS_AS
# Create a container instance with offical SonarQube image
az container create --resource-group rg-sonarqube --location australiaeast  --name sonarqube --cpu 2 --memory 3.5 --image sonarqube:7.7-community --os-type Linux --ip-address Public --environment-variables 'SONARQUBE_JDBC_USERNAME'='sonar' 'SONARQUBE_JDBC_PASSWORD'='[Password]' 'SONARQUBE_JDBC_URL'='jdbc:sqlserver://srv-sql-sonarqube.database.windows.net:1433;database=sonarqubeDb;user=sonar@srv-sql-sonarqube;password=[Password];encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30' --ports 9000 --protocol TCP
Once it is deployed, test your ACI instance as below

You can connect to SonarQube instance with admin/admin as default credentials and port 9000.

Now you need to generate a token which will be used when configuring this with Azure DevOps pipeline. For that, navigate to My Account and click on Security.

Step 2 - Configure SonarQube in Azure DevOps

Navigate to Organization Settings and Extensions. Then select the SonarQube from Marketplace

Install SonarQube extension

Then navigate to specific project that you want pipeline to be defined and select project settings. Then select Service connections.

Create new service connection and select SonarQube from the list

Specify properties according to your SonarQube instance. Use the token we generated in step 1

Now your configuration is completed. You can use the SonarQube instance to perform Static Application Security Testing (SAST).

1 comment:

Polarin - Cloud Network Solution Provider said...

You have written good blog on Azure. I represent a brand named Polarin that also provides Microsoft Azure services.