Cloud native features in SonarQube 9.9 LTS

The SonarQube 9.9 LTS brought many new features dedicated to helping you deliver Clean Code day after day. A lot of that functionality is centered around cloud native technologies including Infrastructure as Code (IaC). 

This article offers an overview of these benefits along with links so you can learn more about the features that interest you.  

SonarQube 9.9 LTS supports the following cloud native technologies:

• Terraform for AWS, GCP, Azure 
• AWS CloudFormation (yaml or json) 
• Kubernetes
• Docker

Many of the cloud native based rules in v9.9 are security focused in the following areas:

• S3 Buckets (Community Announcement)
• Permissions (Community Announcement)
• Encryption at Rest (Community Announcement) 
• Encryption at Transit (Community Announcement)
• Traceability

Feature: Detect insecure configurations in your AWS CDK code

If you are describing your AWS infrastructure with the AWS CDK for Python or JavaScript/TypeScript, SonarQube 9.9 LTS will detect insecure configurations in the following domains:

Python

• S3 Buckets (Community Announcement)
• Encryption at Rest and at Transit (Community Announcement)
• Permissions + Traceability (https://www.sonarqube.org/sonarqube-9-7/)

Node.JS

• S3 Buckets 
• Encryption at Rest and at Transit (available since Nov 2022)
• Permissions + Traceability (available since Nov 2022)

Feature: Detect injection vulnerabilities in your AWS Lambdas

AWS Lambdas can be the entry point of injection attacks. SonarQube v9.9 relies on the same Sonar Taint Analyzer engine used to find injection vulnerabilities in web applications to detect if some malicious inputs are injected in the entry points of AWS Lambdas written in Python or JS/TS. Serverless and SAM frameworks are supported.

JavaScript (Community Announcement)

Python (Community Announcement)

Feature: Detect Code Quality issues in all your Python and JavaScript/TypeScript code

Finding and fixing vulnerabilities to keep your users safe is super important and it’s also important to keep your codebase squeaky clean. SonarQube v9.9 includes hundreds of rules designed to find bugs and code smells in all your Python and JS/TS projects. These same rules are executed in the context of cloud native code so ALL of your source and test code is kept in a Clean Code state. 

The projects making up your cloud native apps likely combine code from many popular languages used today including Java, Go and Python. In all, SonarQube v9.9 can detect quality and security issues in over 30 languages, frameworks and cloud technologies. With Sonar, you get a complete, reliable Clean Code solution for all the projects in your organization.

Feature: Detect secrets/tokens in major cloud providers

Lastly, SonarQube detects secrets and tokens accidentally left in your cloud-based code before they make it out into the wild and into malicious hands. 

Clean Code for the Win!

Join the clean code movement, be intentional with the quality of your codebase and take pride in delivering cloud native apps in a safe, sustainable way. 

Thanks for reading and happy, clean, cloud native coding!

Pick a topic to discover more:

• SonarQube 9.9 LTS Announcement
• Clean Code: The Best Approach to Writing Secure Cloud Native Apps
• The Power of Clean Code