Thank you for sending your enquiry! One of our team members will contact you shortly.
Thank you for sending your booking! One of our team members will contact you shortly.
Course Outline
1. Concepts and Scope of Static Code Analysis
- Definitions: static analysis, SAST, rule categories, and severity levels
- Role of static analysis in secure SDLC and risk coverage
- How SonarQube aligns with security controls and developer workflows
2. SonarQube Overview: Features and Architecture
- Core services, database, and scanner components
- Quality Gates, Quality Profiles, and best practices for Quality Gates
- Security capabilities: vulnerabilities, SAST rules, and CWE mapping
3. Navigation and Use of the SonarQube Server UI
- Server UI tour: projects, issues, rules, measures, and governance views
- Understanding issue pages, traceability, and remediation guidance
- Options for report generation and export
4. SonarScanner Configuration with Build Tools
- Setting up SonarScanner for Maven, Gradle, Ant, and MSBuild
- Best practices for scanner properties, exclusions, and multi-module projects
- Generating appropriate test data and coverage reports for accurate analysis
5. Integration with Azure DevOps
- Configuring SonarQube service connections in Azure DevOps
- Incorporating SonarQube tasks into Azure Pipelines and enabling PR decoration
- Importing Azure Repos into SonarQube and automating analyses
6. Project Configuration and Third-Party Analyzers
- Project-level Quality Profiles and rule selection for Java and Angular
- Working with third-party analyzers and understanding plugin lifecycle
- Defining analysis parameters and managing parameter inheritance
7. Roles, Responsibilities, and Secure Development Methodology Review
- Role segregation: developers, reviewers, DevOps, and security owners
- Creating a roles and responsibilities matrix for CI/CD processes
- Review and recommendation process for an existing secure development methodology
8. Advanced: Adding Rules, Tuning, and Enhancing Global Security Features
- Using the SonarQube Web API to add and manage custom rules
- Adjusting Quality Gates and automating policy enforcement
- Hardening SonarQube server security and implementing access control best practices
9. Hands-on Lab Sessions (Applied)
- Lab A: Configure SonarScanner for 5 Java repositories (Quarkus where applicable) and analyze results
- Lab B: Configure Sonar analysis for 1 Angular front-end application and interpret findings
- Lab C: Comprehensive pipeline lab—integrate SonarQube with an Azure DevOps pipeline and enable PR decoration
10. Testing, Troubleshooting, and Report Interpretation
- Strategies for generating test data and measuring coverage
- Common issues and troubleshooting scanner, pipeline, and permission errors
- How to read and present SonarQube reports to both technical and non-technical stakeholders
11. Best Practices and Recommendations
- Rule set selection and incremental enforcement strategies
- Workflow recommendations for developers, reviewers, and build pipelines
- Roadmap for scaling SonarQube in enterprise environments
Summary and Next Steps
Requirements
- Understanding of the software development lifecycle
- Experience with source control and foundational CI/CD concepts
- Familiarity with Java or Angular development environments
Audience
- Developers (Java / Quarkus / Angular)
- DevOps and CI/CD engineers
- Security engineers and application security reviewers
21 Hours
Testimonials (1)
Engaging, and hands on practise.