Grazie per aver inviato la tua richiesta! Uno dei nostri team membri ti contatterà a breve.
Grazie per aver inviato il tuo prenotazione! Uno dei nostri team membri ti contatterà a breve.
Struttura del corso
1. Concepts and Scope of Static Code Analysis
- Definitions: static analysis, SAST, rule categories and severity
- Scope of static analysis in secure SDLC and risk coverage
- How SonarQube fits into security controls and developer workflows
2. SonarQube Overview: Features and Architecture
- Core services, database, and scanner components
- Quality Gates, Quality Profiles, and Quality Gates best practices
- Security-related features: vulnerabilities, SAST rules, and CWE mapping
3. Navigation and Use of the SonarQube Server UI
- Server UI tour: projects, issues, rules, measures, and governance views
- Interpreting issue pages, traceability, and remediation guidance
- Report generation and export options
4. SonarScanner Configuration with Build Tools
- Setting up SonarScanner for Maven, Gradle, Ant, and MSBuild
- Best practices for scanner properties, exclusions, and multi-module projects
- Generating necessary test data and coverage reports for accurate analysis
5. Integration with Azure DevOps
- Configuring SonarQube service connections in Azure DevOps
- Adding SonarQube tasks to Azure Pipelines and PR decoration
- Importing Azure Repos into SonarQube and automating analyses
6. Project Configuration and Third-Party Analyzers
- Project-level Quality Profiles and rule selection for Java and Angular
- Working with third-party analyzers and plugin lifecycle
- Defining analysis parameters and parameter inheritance
7. Roles, Responsibilities, and Secure Development Methodology Review
- Segregation of roles: developers, reviewers, DevOps, security owners
- Constructing a roles & responsibilities matrix for CI/CD processes
- Review and recommendation process for an existing secure development methodology
8. Advanced: Adding Rules, Tuning, and Enhancing Global Security Features
- Using the SonarQube Web API to add and manage custom rules
- Adjusting Quality Gates and automated policy enforcement
- Hardening SonarQube server security and access control best practices
9. Hands-on Lab Sessions (Applied)
- Lab A: Configure SonarScanner for 5 Java repositories (Quarkus where applicable) and analyze results
- Lab B: Configure Sonar analysis for 1 Angular front-end and interpret findings
- Lab C: Full pipeline lab—integrate SonarQube with an Azure DevOps pipeline and enable PR decoration
10. Testing, Troubleshooting, and Report Interpretation
- Strategies for test data generation and coverage measurement
- Common issues and troubleshooting scanner, pipeline, and permission errors
- How to read and present SonarQube reports to technical and non-technical stakeholders
11. Best Practices and Recommendations
- Rule set selection and incremental enforcement strategies
- Workflow recommendations for developers, reviewers, and build pipelines
- Roadmap for scaling SonarQube in enterprise environments
Summary and Next Steps
Requisiti
- An understanding of software development lifecycle
- Experience with source control and basic CI/CD concepts
- Familiarity with Java or Angular development environments
Audience
- Developers (Java / Quarkus / Angular)
- DevOps and CI/CD engineers
- Security engineers and application security reviewers
21 ore
Recensioni (1)
Interattivo e con pratica diretta.
Balavignesh Elumalai - Scottish Power
Corso - SonarQube for DevOps
Traduzione automatica
