Sonar for IAC

a secure cloud-native app starts with secure IaC

Clean code isn't just for your applications. Sonar brings the Power of Clean Code to your IaC managed cloud environments.

Protect Your Infrastructure

IaC is software - make sure it's clean and secure

It should be properly versioned, have its own pipeline AND it should be tested and secured. Sonar makes it easy to find and fix code issues in the popular languages and tools you’re using to configure and orchestrate your cloud infrastructures.

bits of code and quality checks are shown as an abstract of a developers environment.
Background image of bits of code connecting to each other

try it for free

Self-managed app -->SaaS App -->

broad support for your IaC environment

One solution for clean code in your cloud-native apps & IaC

all-in-one tool

Sonar is your tool for clean code in IaC and popular cloud-native languages including JavaScript, Python, Java, Go and C#. You get depth and breadth.

protect what's important

Keeps vulnerabilities, bugs and code smells out of your biggest asset - your software!

Sonar puts your cloud-native application on a solid foundation

Clean Code principles create safe, reliable infrastructures for your cloud-native apps

boost environment security

Give your apps a safe place to run. IaC specific rules find vulnerabilities in your cloud infrastructure to minimize user risk and safeguard your org's reputation.

Bring a clean code methodology to IaC

Clean as You Code empowers developers to write code with clear rules & expectations. Devs directly control code quality.

agnostic approach

Avoid vendor lock-in. Relying on a single vendor limits choices & concentrates risk. Sonar supports AWS, Google Cloud and Azure.

experiment with confidence

Have fun learning IaC while Sonar protects your code. Sonar is always ready to catch those ‘oops’ mistakes before they fall through the cracks.

Clean code in action

A unique approach to spotting vulnerabilities

What sets Sonar apart from other solutions is the approach. In addition to spotting ‘no-doubt’ vulnerabilities, Sonar also employs the concept of Security Hotspots. This approach is designed to minimize false positives and maximize your efficiency.

Image shows overall health of a project with all areas having a passing score
Dedicated IaC Rules

extend Clean Code to your cloud-native workflow

Security Hotspots > Code Review

Security Hotspots occur when security-sensitive code is used. The code usage might be okay, but a code review is necessary to know for sure.

Sonar provides a custom UI dedicated to Security Hotspot review. This allows developers and cloud engineers to quickly evaluate security risks while learning about secure coding practices. If the code snippet is a vulnerability, you can assign it to someone or mark it safe if it doesn’t pose a risk.

Security Vulnerabilities > Code Change/Fix

Sonar also spots security vulnerabilities that require immediate attention. Sonar provides detailed issue descriptions, code highlights and contextual help that explain why your IaC code is at risk.

Remediation is easy -> Just follow the guidance, check in a fix and secure your application!


BROAD VULNERABILITY DETECTION

Over a decade of analyzer development

The Sonar SAST engine detects vulnerabilities in a comprehensive range of categories

Explore Sonarpedia -->

public access

Detect if your code is granting public access to security-sensitive resources

permissions

Discover if you’ve granted permissions that are typically out-of-scope in production

encryption

Ensure adequate encryption protocols for data at-rest and in-transit

traceability

Prevent inadvertent disabling or modifying of best-practice traceability mechanisms

The Sonar difference

What makes Sonar a solution and not just a tool is the simple, repeatable process it brings to your daily workflow. The difference is how much more proficient you become as a developer.

Clean as You Code Methodology

Clean as You Code establishes a shared quality threshold across the organization for all new or changed code.

Go/No-Go Quality Gate

Fail the pipeline when the code quality doesn’t meet the threshold. Prevent code issues from being merged or deployed.

Actionable, Highly-precise Analysis Results

Receive code quality metrics at the right place and right time. Deal with real issues, not false positives, thanks to the precise Sonar IaC analysis.

Clear Remediation Guidance

Discover issues in context with a rule description that helps you understand WHY there is an issue. Sonar includes examples of compliant code so you understand HOW to fix it.

Background image of bits of code connecting to each other
  • Sonar Solutions
    • Clean Code
    • Clean as You Code
    • Commitment to open source
    • For developers
    • For teams
    • For enterprise
    • Federal Government
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2022, SonarSource S.A, Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE and SONARCLOUD are trademarks of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.