[英]can we use sonarqube to scan (Infrastructure as code ) IaC from Terraform with azure devops ci/cd pipeline?
can we use sonarqube to scan IaC code ( not application code ) ( IaC code here meaning is terraform code to create Azure infrastructure such as RBAC, PIM, allowed locations etc) for error and vulnerabilities with Azure DevOps CI/CD pipelines? can we use sonarqube to scan IaC code ( not application code ) ( IaC code here meaning is terraform code to create Azure infrastructure such as RBAC, PIM, allowed locations etc) for error and vulnerabilities with Azure DevOps CI/CD pipelines?
i found some link but not sure?我找到了一些链接,但不确定?
https://registry.terraform.io/providers/jdamata/sonarqube/latest/docs/resources/sonarqube_qualitygate_project_association https://registry.terraform.io/providers/jdamata/sonarqube/latest/docs/resources/sonarqube_qualitygate_project_association
I confirm SonarSource (SonarQube, SonarCloud, SonarLint) doesn't provide yet any feature to scan IaC files (Terraform, CloudFormation, ...).我确认 SonarSource(SonarQube、SonarCloud、SonarLint)还没有提供任何功能来扫描 IaC 文件(Terraform、CloudFormation...)。 This is part of our 2021 roadmap to bring features to secure Cloud Native apps which include to raise issues on your IaC files.这是我们 2021 年路线图的一部分,旨在为保护云原生应用程序提供功能,其中包括在您的 IaC 文件上提出问题。 The work just started on our side, so don't expect this to come soon but more starting from Q3.我们的工作才刚刚开始,所以不要指望这会很快到来,而是从第三季度开始。
There is no SonarQube plugin for analyzing Terraform code.没有用于分析 Terraform 代码的 SonarQube 插件。 You can use Terrascan or TFLint as static analysis tool.您可以使用 Terrascan 或 TFLint 作为 static 分析工具。
https://github.com/accurics/terrascan https://github.com/accurics/terrascan
https://github.com/terraform-linters/tflint https://github.com/terraform-linters/tflint
Here is another one ==> oak9 ( www.oak9.io ).这是另一个 ==> 橡木9 ( www.oak9.io )。 It focuses on securing your application architecture by analyzing your IaC.它侧重于通过分析您的 IaC 来保护您的应用程序架构。 It has a number of features including out-of-the-box security and compliance blueprints, integrations across CI/CD toolsets & code-repositories, integrations with different cloud service providers and a lot more.它具有许多功能,包括开箱即用的安全性和合规性蓝图、跨 CI/CD 工具集和代码存储库的集成、与不同云服务提供商的集成等等。 Full disclosure - I work on the security team here全面披露——我在这里的安全团队工作
U can try referring this link but its missed alot features as an iaac.你可以尝试参考这个链接,但它错过了很多作为 iaac 的功能。
https://www.sonarqube.org/features/multi-languages/terraform/ https://www.sonarqube.org/features/multi-languages/terraform/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.