Created by User b6b4a, last modified by Matej Nikorovič on Nov 10, 2022

(blue star) Overview

This guideline is written to standardize the static application security testing or SAST process in SaFi. Each procedures and steps were considered minimum requirements and can be improve anytime.

(blue star) Types of SonarQube implementation

Three types of SonarQube will be implemented to scan code quality and vulnerabilities.

  1. SonarQube at https://sonarqube.safibank.online will be used as Pipeline integrated SonarQube. This is already implemented in _app-sonarqube-dev-ci.yml workflow.
    username: user
    password: vs5Gh92N2ODG7s57OmN4Jn6tqQfYV7GY

  2. SonarCloud will be used on as-needed basis, manually triggered, not integrated to any pipeline, using dedicated workflow.

  3. SonarQube on IDE called SonarLint (SonarLint with SonarQube in IntelliJ IDEA) will be integrated to Developers IDE. A mandatory plugin to ensure the desired quality of code.

(blue star) Pipeline integrated SonarQube

SonarQube will be mandatory to include in any Github actions running in Dev environment. This ensures that all code is covered and aiming to a 100% code coverage for SAST.

Developers will be required to integrate all their code changes to the SaFi SQ to scan code quality. Developers who encountered challenges in integration should file a request to SRE team to integrate the SaFi SQ into their code to inspect wether or not meets the desired metrics.

This pipeline integrated SonarQube is expected inspect all code quality prior to SonarCloud and developers are expected to fix found code issues within the expected metrics.

(tick) As-Needed SonarCloud

Since SonarCloud is expensive and pricing is based on Lines of Code and the frequency of scans. And also moving forward, only small new features or change request is going to be implemented. The strategy is agreed to be on As-Needed basis.

The frequency will be on annual basis for regulatory and on-demand for major releases like MVP.

(blue star) SonarLint

Developer IDE should have SonarLint plugin integrated to their IDE’s. SonarLint installation is ensured by each team leads for developers. Developers is expected to clean the code right away while writing and should lessen the issues found in SaFi SQ and SonarCloud.

(blue star) Process

Based on the results of static check, the results will be assessed within the desired metrics if within the Code Quality Management . If within the metrics or in other words passed the static check, the code will continue to be merged. Otherwise, deny the request and have developers fix the findings prior to merging of pull request.