堆栈内存溢出
  简体   繁体   English

我们可以使用 sonarqube 从 Terraform 和 azure devops ci/cd 管道扫描(基础设施即代码)IaC 吗?

[英]can we use sonarqube to scan (Infrastructure as code ) IaC from Terraform with azure devops ci/cd pipeline?

 原文  2021-04-21 07:32:34       azure/ sonarqube/ terraform

问题描述

can we use sonarqube to scan IaC code ( not application code ) ( IaC code here meaning is terraform code to create Azure infrastructure such as RBAC, PIM, allowed locations etc) for error and vulnerabilities with Azure DevOps CI/CD pipelines? can we use sonarqube to scan IaC code ( not application code ) ( IaC code here meaning is terraform code to create Azure infrastructure such as RBAC, PIM, allowed locations etc) for error and vulnerabilities with Azure DevOps CI/CD pipelines?

i found some link but not sure?我找到了一些链接,但不确定?

https://registry.terraform.io/providers/jdamata/sonarqube/latest/docs/resources/sonarqube_qualitygate_project_association https://registry.terraform.io/providers/jdamata/sonarqube/latest/docs/resources/sonarqube_qualitygate_project_association

3 个解决方案

解决方案1
 3  2021-04-23 06:43:08

I confirm SonarSource (SonarQube, SonarCloud, SonarLint) doesn't provide yet any feature to scan IaC files (Terraform, CloudFormation, ...).我确认 SonarSource(SonarQube、SonarCloud、SonarLint)还没有提供任何功能来扫描 IaC 文件(Terraform、CloudFormation...)。 This is part of our 2021 roadmap to bring features to secure Cloud Native apps which include to raise issues on your IaC files.这是我们 2021 年路线图的一部分,旨在为保护云原生应用程序提供功能,其中包括在您的 IaC 文件上提出问题。 The work just started on our side, so don't expect this to come soon but more starting from Q3.我们的工作才刚刚开始,所以不要指望这会很快到来,而是从第三季度开始。

解决方案2
 1  2021-04-21 08:21:15

There is no SonarQube plugin for analyzing Terraform code.没有用于分析 Terraform 代码的 SonarQube 插件。 You can use Terrascan or TFLint as static analysis tool.您可以使用 Terrascan 或 TFLint 作为 static 分析工具。

https://github.com/accurics/terrascan https://github.com/accurics/terrascan

https://github.com/terraform-linters/tflint https://github.com/terraform-linters/tflint

解决方案3
 0  2021-12-06 00:10:49

Here is another one ==> oak9 ( www.oak9.io ).这是另一个 ==> 橡木9 ( www.oak9.io )。 It focuses on securing your application architecture by analyzing your IaC.它侧重于通过分析您的 IaC 来保护您的应用程序架构。 It has a number of features including out-of-the-box security and compliance blueprints, integrations across CI/CD toolsets & code-repositories, integrations with different cloud service providers and a lot more.它具有许多功能,包括开箱即用的安全性和合规性蓝图、跨 CI/CD 工具集和代码存储库的集成、与不同云服务提供商的集成等等。 Full disclosure - I work on the security team here全面披露——我在这里的安全团队工作

解决方案4
 0  

U can try referring this link but its missed alot features as an iaac.你可以尝试参考这个链接,但它错过了很多作为 iaac 的功能。

https://www.sonarqube.org/features/multi-languages/terraform/ https://www.sonarqube.org/features/multi-languages/terraform/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 azure DevOps 流水线 CI/CD - azure DevOps pipeline CI/CD 如何在 Azure DevOps CI/CD 管道中使用 Azure SQL 始终加密 - How to use Azure SQL Always Encrypted in Azure DevOps CI/CD pipeline 如何管理 Azure APIM 作为基础架构即代码 (IaC)? - How to manage Azure APIM as Infrastructure as Code (IaC)? Azure DevOps 存储库到 Azure 静态 HTML CI/CD 管道 - Azure DevOps Repo to Azure Static HTML CI/CD Pipeline 能否在 Azure DevOps 中触发 CD 管道之前组合多个 CI 构建? - Can you combine multiple CI builds prior to a CD pipeline being triggered in Azure DevOps? Azure DevOps 数据工厂数据集和管道 CI/CD 参数 - Azure DevOps Data Factory Dataset and pipeline CI/CD Parameters Azure DevOps CI/CD 未在活动中部署我的管道触发器 state - Azure DevOps CI/CD not deploying my pipeline triggers in an Active state 使用 CI/CD 管道将 PHP 应用程序从 Azure DevOps 部署到 AWS - Deploy PHP application from Azure DevOps to AWS using CI/CD pipeline 如何使用 Azure DevOps CI/CD 部署多个 Azure 函数 - How can I use Azure DevOps CI/CD to deploy multiple Azure Functions Azure DevOps 服务 - CI/CD - Azure Devops Services - CI/CD
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM