Code quality & IaC security scanning
SonarQube scans application code for bugs, vulnerabilities, and code smells. Checkov scans IaC (Terraform, Kubernetes, CloudFormation) for security misconfigurations. Together they form a complete SAST pipeline.
# sonar-project.properties sonar.projectKey=my-org_payments-api sonar.organization=my-org sonar.host.url=https://sonarcloud.io sonar.sources=src/ sonar.tests=tests/ sonar.language=python sonar.exclusions=**/*.test.py sonar.qualitygate.wait=true
steps:
- uses: actions/checkout@v4
# SonarQube Scan
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@v3
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# Checkov IaC Scan
- name: Checkov IaC Scan
uses: bridgecrewio/checkov-action@v12
with:
directory: terraform/
framework: terraform
soft_fail: false
# Checkov K8s Scan
- name: Checkov K8s Scan
uses: bridgecrewio/checkov-action@v12
with:
directory: helm/
framework: kubernetes
soft_fail: trueSonarQube Extension from Azure DevOps Marketplace. Add SonarQubePrepare, SonarQubeAnalyze, SonarQubePublish tasks. Checkov runs as a script task.
Add SonarQube scan in buildspec.yml as a pre-build phase. Checkov can run as a separate step to block non-compliant IaC before deploy.
SonarQube and Checkov run as Cloud Build steps. Publish results to SonarCloud. Fail build on quality gate failure.