SonarQube + Checkov

Code quality & IaC security scanning

Concept

SonarQube scans application code for bugs, vulnerabilities, and code smells. Checkov scans IaC (Terraform, Kubernetes, CloudFormation) for security misconfigurations. Together they form a complete SAST pipeline.

App Code Scan
SonarQube / SonarCloud
SonarQube / CodeGuru
SonarQube / Cloud Code
IaC Scan
Checkov / tfsec
Checkov / cfn-nag
Checkov / tfsec
Container Scan
Trivy / Aqua
ECR Scan / Trivy
Artifact Analysis
Quality Gate
Fail pipeline on failure
Same
Same

SonarQube Properties

# sonar-project.properties
sonar.projectKey=my-org_payments-api
sonar.organization=my-org
sonar.host.url=https://sonarcloud.io
sonar.sources=src/
sonar.tests=tests/
sonar.language=python
sonar.exclusions=**/*.test.py
sonar.qualitygate.wait=true

GitHub Actions — SonarQube + Checkov

steps:
- uses: actions/checkout@v4

# SonarQube Scan
- name: SonarQube Scan
  uses: sonarsource/sonarqube-scan-action@v3
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

# Checkov IaC Scan
- name: Checkov IaC Scan
  uses: bridgecrewio/checkov-action@v12
  with:
    directory: terraform/
    framework: terraform
    soft_fail: false

# Checkov K8s Scan
- name: Checkov K8s Scan
  uses: bridgecrewio/checkov-action@v12
  with:
    directory: helm/
    framework: kubernetes
    soft_fail: true

○ Azure — Azure DevOps

SonarQube Extension from Azure DevOps Marketplace. Add SonarQubePrepare, SonarQubeAnalyze, SonarQubePublish tasks. Checkov runs as a script task.

○ AWS — AWS CodeBuild

Add SonarQube scan in buildspec.yml as a pre-build phase. Checkov can run as a separate step to block non-compliant IaC before deploy.

○ GCP — GCP Cloud Build

SonarQube and Checkov run as Cloud Build steps. Publish results to SonarCloud. Fail build on quality gate failure.