Sonar is your Clean Code solution for IaC (original) (raw)

SONAR FOR IAC

Infrastructure as Code: secure cloud-native apps

Sonar provides a comprehensive code quality and security analysis solution to scan your IaC files in your managed cloud environments to review a wide range of possible issues or security vulnerabilities.

Trusted and loved by 7 million developers & 400,000+ organizations

• Request demo
• Take a product tour
• Sonar Community
• Contact us

PROTECT YOUR INFRASTRUCTURE

Treat IaC like code: prioritize quality and security

It should be properly versioned, have its own pipeline AND it should be tested and secured. Sonar makes it easy to find and fix code issues in the popular languages and tools you’re using to configure and orchestrate your cloud infrastructures.

Try it for free

Broad support for your IaC environment

High-quality code in your cloud-native apps and IaC

All-in-one tool

Ensure code quality and security in your IaC and cloud-native languages (JavaScript, Python, Java, Go, C#) with Sonar's deep and broad analysis capabilities

Protect what's important

Keeps vulnerabilities, bugs and code smells out of your biggest asset - your software!

Sonar puts your cloud-native application on a solid foundation

Create safe, reliable infrastructures for your cloud-native apps

Boost environment security

Give your apps a safe place to run. IaC specific rules find vulnerabilities in your cloud infrastructure to minimize user risk and safeguard your org's reputation.

Naturally improve IaC quality

Empower developers to write with clear rules & expectations as they code. Devs directly control code quality.

Agnostic approach

Avoid vendor lock-in. Relying on a single vendor limits choices & concentrates risk. Sonar supports AWS, Google Cloud and Azure.

Experiment with confidence

Have fun learning IaC while Sonar protects your code. Sonar is always ready to catch those ‘oops’ mistakes before they fall through the cracks.

SONARQUBE IN ACTION

A unique approach to spotting vulnerabilities

What sets Sonar apart from other solutions is the approach. In addition to spotting ‘no-doubt’ vulnerabilities, Sonar also employs the concept of Security Hotspots. This approach is designed to minimize false positives and maximize your efficiency.

DEDICATED IAC RULES

Integrate quality code practices into your development

Security Hotspots > Code Review

Security Hotspots occur when security-sensitive code is used. The code usage might be okay, but a code review is necessary to know for sure.

Sonar provides a custom UI dedicated to Security Hotspot review. This allows developers and cloud engineers to quickly evaluate security risks while learning about secure coding practices. If the code snippet contains a vulnerability, you can assign it to someone or mark it safe if it doesn’t pose a risk.

Security Vulnerabilities > Code Change/Fix

Sonar also spots security vulnerabilities that require immediate attention. Sonar provides detailed issue descriptions, code highlights and contextual help that explain why your code is at risk.

Remediation is easy -> Just follow the guidance, check in a fix and secure your application!

BROAD VULNERABILITY DETECTION

Over a decade of analyzer development

The Sonar SAST engine detects vulnerabilities in a comprehensive range of categories

Explore Sonar's Rules

Public access

Detect if your code is granting public access to security-sensitive resources

Permissions

Discover if you’ve granted permissions that are typically out-of-scope in production

Encryption

Ensure adequate encryption protocols for data at-rest and in-transit

Traceability

Prevent inadvertent disabling or modifying of best-practice traceability mechanisms

The Sonar difference

What makes Sonar a solution and not just a tool is the simple, repeatable process it brings to your daily workflow. The difference is how much more proficient you become as a developer.

Naturally improve code quality

Sonar encourages a simple, powerful methodology that progressively improves overall code quality by focusing on code that is added or changed and ensuring that it's secure and high quality.

Sonar Quality Gate Pass/Fail

Added or changed code either passes or fails the quality standard. Fail the pipeline when the code quality doesn’t meet the threshold. Prevent code issues from being merged or deployed.

Actionable, highly-precise analysis results

Receive code quality metrics at the right place and right time. Deal with real issues, not false positives, thanks to the precise Sonar static analysis.

Clear remediation guidance

Discover issues in context with a rule description that helps you understand WHY there is an issue. Sonar includes examples of compliant code so you understand HOW to fix it.

Ready to secure your IaC code?