In today's fast-paced development environment, maintaining software security and compliance is more critical than ever. With the rise of AI-driven code development and increasing regulatory demands, the need for accountability and traceability within the software development lifecycle (SDLC) has never been greater.
At Sonar, we're committed to empowering developers to build better, more secure software with static code analysis. We're also dedicated to providing the tools necessary to ensure that this development is done in a secure and compliant manner. That's why we're excited to announce the initial release of audit logs for SonarQube Cloud.
The growing importance of audit logs in modern SDLC and DevSecOps
While once considered a niche requirement for highly regulated industries, audit logs have become an essential tool for any organization with a digital presence. They provide a chronological record of events, offering a clear answer to "who did what, and when?" This is crucial for:
- Security Incident Investigation: Quickly identify and investigate suspicious activity.
- Compliance: Meet the requirements of standards like GDPR, SOC 2, and ISO 27001.
- Accountability: Maintain a clear record of user and system actions.
Audit logs in SonarQube Cloud: What you need to know
This initial release of audit logs is designed to provide our SonarQube Cloud Enterprise plan customers with the essential data they need to meet their immediate compliance and security needs. Here are the key details:
- Availability: Audit logs are available exclusively for customers on the SonarQube Cloud Enterprise plan, ensuring enterprise-grade governance and support.
- Access: Audit logs are accessible via a new API endpoint. This allows for seamless integration with your existing security information and event management (SIEM) tools.
- Permissions: Only enterprise admins have access to the audit logs endpoint.
- Data Retention: Audit logs are retained for a period of 180 days.
- Querying: In this initial version, you can query the audit logs by date range. We will be adding the ability to query by event type and actor in a future release.
A list of the logged events is available here.
Focus on what matters: Core IAM events
This first iteration of SonarQube Cloud audit logs focuses on capturing core authentication and administrative Identity and Access Management (IAM) events. This provides visibility into critical security-related activities, such as:
- User login and logout events
- User and token creation
- Changes to user permissions
Reducing risk and ensuring accountability
For compliance officers, CISOs, and C-suite executives, audit logs provide a powerful tool for risk reduction and governance. They enable you to:
- Verify Policy Adherence: Confirm that mandatory security checks are being enforced.
- Trace Configuration Changes: Track administrative actions, and user permission changes.
- Facilitate Regulatory Reporting: Generate the fine-grained data needed for compliance reports.
- Ensure Non-Repudiation: Create an immutable record of code security and quality decisions.
The future of audit logs in SonarQube Cloud
This is just the beginning for audit logs in SonarQube Cloud. We are committed to expanding the scope of logged events to provide even greater visibility into your development lifecycle. We want to hear from you! You can influence our roadmap and tell us which additional events you'd like to see by providing feedback on our roadmap.
Get started today
If you're a SonarQube Cloud Enterprise plan enterprise admin, you can start using the new audit logs API today. For more detailed information, please refer to our SonarQube Cloud documentation and the API endpoint documentation.
We're confident that the new audit logs feature will provide you with the traceability and control you need to ensure the security and regulatory compliance of your software development process.