Security Analysis Tools


Course Introduction
Start course

This course explores how to manage code quality and security policies with Azure DevOps, and will help those preparing for Microsoft's AZ-400 exam.

It starts by examining the definition of code quality and how to write high-quality code. Next, we’ll look at what goes into code quality scanning and at how SonarCloud can help monitor code quality, and you'll see a hands-on demonstration that shows you how to use SonarCloud in the pipeline.

You'll learn what code coverage means and how to use the “Publish Code Coverage Results” task to report on code coverage. This course also covers security policies, including OWASP and its Top-10 list, as well as looking at a couple of popular security analysis tools.

If you have any feedback relating to this course, feel free to get in touch with us at Any URLs referenced during this course can be found in the relevant lecture transcripts.

Learning Objectives

  • Understand what high-quality code is and how to write quality code
  • Learn how to monitor code quality
  • Learn how to report on code coverage
  • Learn about the OWASP Top Ten
  • Understand how security analysis tools can be used in conjunction with Azure DevOps to check code for vulnerabilities
  • Learn how to configure SonarCloud in a pipeline

Intended Audience

This course is intended for those who are preparing for the AZ-400 exam, or anyone who wants to learn more about managing code quality and security policies with Azure DevOps.


To get the most from this course, you should have a basic understanding of Microsoft Azure and of DevOps concepts.


Azure DevOps can be integrated with a wide range of other tools that can help in checking code for vulnerabilities. Common tools include SonarCloud and White Source Bolt. In this lesson, we are going to take a look at what each product is and what each offers.

Let’s start by taking a look at SonarCloud. SonarCloud is a code analysis service that runs in the cloud. It’s the cloud version of the on-prem product called SonarQube. SonarCloud is used to identify code quality issues in roughly two dozen different programming languages. It allows organizations to continuously ensure maintainability and security of their code.

What SonarCloud does is perform static code analysis to identify issues in the code that you write. This static analysis does not require you to actually run the code like dynamic analysis does. This provides an additional layer of code verification that is different and separate from automated testing and human code-review.

Using SonarCloud allows you to detect problems with your code earlier in the process, which, in turn, ensures that fewer issues find their way into the later stages of the build process. This helps improve the overall quality of the final production code.

To use SonarCloud, you connect it to whatever cloud-based code repository service that you are currently using. It supports GitHub, Bitbucket Cloud, Azure DevOps Services, and GitLab.

When you sign up for SonarCloud, you specify the repository provider that you want to connect to, and then your SonarCloud account is created and bound to your account on your chosen repository provider.

I should point out that SonarCloud does not work with on-prem code repositories. If you need support for on-prem repositories, you should use what is essentially the on-prem version of SonarCloud, which is called SonarQube.

Once you sign up for SonarCloud, you can use it to identify issues and security hotspots in your code.

Issues, as you might expect, are problems in your code that require fixing. The types of issues that SonarCloud can detect include Code Smells, Bugs, and Vulnerabilities.

Code Smells typically don’t prevent your program from functioning properly but might indicate deeper problems that can cause maintainability issues for the code. 

Bugs are coding errors that can cause the program to not operate as expected. 

Vulnerabilities are coding problems that may be exploited by bad guys in order to compromise the security of your application.

While SonarCloud is very good at detecting coding issues, it also identifies security hotspots, which are parts of code that could cause security issues.  

By integrating SonarCloud into your software development process, you can prevent issues from reaching production. You can actually integrate SonarCloud in three different places. It integrates with the editor, in the pull request, and in the codebase.

For example, SonarLint, which is SonarCloud's companion product, is used to provide immediate feedback from within the editor. This allows developers to catch issues before they reach the repository.

By annotating the pull request interface of your repository service, SonarCloud can provide the results of its analysis on the pull request branch right in the interface – and can automatically grant or deny the approval of the pull request, depending on your defined quality gate criteria. This allows you to add automatic code review to your process.

Because some types of issues can only be identified after code is merged, SonarCloud often needs to analyze your entire codebase as a single unit. To accomplish this, SonarCloud offers two different approaches. They include automatic analysis and CI-based Analysis.

To provide automatic analysis, SonarCloud detects every pull request that is merged and then analyzes the new state of the code in your repository. 

CI-based analysis is the configuration of SonarCloud so that it performs analysis as part of your regular continuous integration (CI) process or build process.

What SonarCloud does is focus on identifying issues that are found in incoming changes as they arrive. This aligns with the principle of “cleaning as you code”, which focuses on preventing issues in incoming new code. This eliminates, or at least mitigates, the need for digging through old code to identify issues within it. 

While SonarCloud is the most common security tool, WhiteSource Bolt is another security and management solution that I want to touch on here. 

WhiteSource Bolt a lightweight open-source offering that, when integrated within Azure DevOps Services & Team Foundation Server, allows you to detect and remedy vulnerable open source components, generate open-source inventory reports, and enforce open source license compliance. You can also use WhiteSource Bolt to identify outdated open-source libraries and recommendations.

To learn more about WhiteSource Bolt, visit the URL that you see on your screen.


Course Introduction - Code Quality Defined - Monitoring Code Quality - Reporting on Code Coverage - The OWASP Top Ten - DEMO: Configuring SonarCloud in a Pipeline - Course Summary




About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.