Azure DevOps can be integrated with a wide range of other tools that can help in checking code for vulnerabilities. Common tools include SonarCloud and White Source Bolt. In this lesson, we are going to take a look at what each product is and what each offers.

Let’s start by taking a look at SonarCloud. SonarCloud is a code analysis service that runs in the cloud. It’s the cloud version of the on-prem product called SonarQube. SonarCloud is used to identify code quality issues in roughly two dozen different programming languages. It allows organizations to continuously ensure maintainability and security of their code.

What SonarCloud does is perform static code analysis to identify issues in the code that you write. This static analysis does not require you to actually run the code like dynamic analysis does. This provides an additional layer of code verification that is different and separate from automated testing and human code-review.

Using SonarCloud allows you to detect problems with your code earlier in the process, which, in turn, ensures that fewer issues find their way into the later stages of the build process. This helps improve the overall quality of the final production code.

To use SonarCloud, you connect it to whatever cloud-based code repository service that you are currently using. It supports GitHub, Bitbucket Cloud, Azure DevOps Services, and GitLab.

When you sign up for SonarCloud, you specify the repository provider that you want to connect to, and then your SonarCloud account is created and bound to your account on your chosen repository provider.

I should point out that SonarCloud does not work with on-prem code repositories. If you need support for on-prem repositories, you should use what is essentially the on-prem version of SonarCloud, which is called SonarQube.

Once you sign up for SonarCloud, you can use it to identify issues and security hotspots in your code.

Issues, as you might expect, are problems in your code that require fixing. The types of issues that SonarCloud can detect include Code Smells, Bugs, and Vulnerabilities.

Code Smells typically don’t prevent your program from functioning properly but might indicate deeper problems that can cause maintainability issues for the code. 

Bugs are coding errors that can cause the program to not operate as expected. 

Vulnerabilities are coding problems that may be exploited by bad guys in order to compromise the security of your application.

While SonarCloud is very good at detecting coding issues, it also identifies security hotspots, which are parts of code that could cause security issues.  

By integrating SonarCloud into your software development process, you can prevent issues from reaching production. You can actually integrate SonarCloud in three different places. It integrates with the editor, in the pull request, and in the codebase.

For example, SonarLint, which is SonarCloud's companion product, is used to provide immediate feedback from within the editor. This allows developers to catch issues before they reach the repository.

By annotating the pull request interface of your repository service, SonarCloud can provide the results of its analysis on the pull request branch right in the interface – and can automatically grant or deny the approval of the pull request, depending on your defined quality gate criteria. This allows you to add automatic code review to your process.

Because some types of issues can only be identified after code is merged, SonarCloud often needs to analyze your entire codebase as a single unit. To accomplish this, SonarCloud offers two different approaches. They include automatic analysis and CI-based Analysis.

To provide automatic analysis, SonarCloud detects every pull request that is merged and then analyzes the new state of the code in your repository. 

CI-based analysis is the configuration of SonarCloud so that it performs analysis as part of your regular continuous integration (CI) process or build process.

What SonarCloud does is focus on identifying issues that are found in incoming changes as they arrive. This aligns with the principle of “cleaning as you code”, which focuses on preventing issues in incoming new code. This eliminates, or at least mitigates, the need for digging through old code to identify issues within it. 

While SonarCloud is the most common security tool, WhiteSource Bolt is another security and management solution that I want to touch on here. 

WhiteSource Bolt a lightweight open-source offering that, when integrated within Azure DevOps Services & Team Foundation Server, allows you to detect and remedy vulnerable open source components, generate open-source inventory reports, and enforce open source license compliance. You can also use WhiteSource Bolt to identify outdated open-source libraries and recommendations.

To learn more about WhiteSource Bolt, visit the URL that you see on your screen.

Lectures

Course Introduction - Code Quality Defined - Monitoring Code Quality - Reporting on Code Coverage - The OWASP Top Ten - DEMO: Configuring SonarCloud in a Pipeline - Course Summary