SonarQube Agent Scanner - Activate Scenario

A ZeroNorth Scenario called sonarqube-agent can invoke SonarQube Agent Scanner via its CLI interface to scan a GitHub repositories or build artifacts for known vulnerabilities. This article describes the steps for activating this scenario for use in a Policy.

Prerequisites

  • ZeroNorth platform license and credentials
  • Access to a SonarQube server (ZeroNorth hosts one for free)
  • Valid credentials for the SonarQube scanning service

Activate the “sonarqube-agent” scenario

  1. Login to the web UI and then go to zn ADM > Scenarios .
  2. Locate the SonarQube Scenario tile.
  3. Click on +Add Scenario to the bottom right of the tile.
  4. In the subsequent screen, enter:
  • Name
  • Product Configuration - this is one of:
    • sonarqube-agent - for most languages
    • sonarqube-msbuild-runner - for C#/.NET projects
  • SonarQube Host URL - the URL to the SonarQube server. Omit the trailing “/”. Example: https://sonar.mycompany.com:9000 . If you are using Sonar Cloud SaaS service, this URL should be something like https://sonarcloud.io .
  • API Key - for instructions regarding obtaining your API Key, see this article
  • Vulnerabilities Severity Levels - specify the minimum severity for import of Vulnerabilities issues. The default is everything but INFO.
  • Include bugs - Specify if you want to import Bugs reported by SonarQube. The default is “No”.
  • Bugs Severity Levels - specify the minimum severity for import of Bugs issues. The default is everything but INFO.
  • Include code smells - Specify if you want to import Code Smells reported by SonarQube. The default is “No”.
  • Code Smells Severity Levels - specify the minimum severity for import of Code Smells issues. The default is everything but INFO.
  • Optionally, Description
  1. Click on Save .

The Scenario is now ready for use in a Policy.

SonarQube Host URL Explained Further

If you plan to use the ZeroNorth-hosted SonarQube server, contact support@zeronorth.io to have the necessary Scenario(s) activated for you.

Generally, the URL should be specified simply as the below examples show:

When using your own SonarQube server, things to consider:

  • If you plan to use the sonarqube-msbuild-runner Scenario to scan .NET projects, after activating the Scenario, follow the instructions in the article Integration Guide - SonarQube and C#/.NET projects .
  • If you plan to use the sonarqube-agent Scenario for all other languages, after activating the Scenario, follow the instructions in the article Integration Guide - Using an on-prem SonarQube Server .