forked from DAWS-82S/notes
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsession-69.txt
More file actions
62 lines (42 loc) · 2.14 KB
/
session-69.txt
File metadata and controls
62 lines (42 loc) · 2.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Infra create
terraform init, plan and apply
DevOps team develops the pipeline... DevOps will do the settings in Git. DevOps team discuss branching straetgy with Development team...
CI job triggers CD job
Shift Left
===========
Instead of testing and scanning the application in higher environments we can shift all the possible stages of scanning and testing into DEV environment so that issues can be filtered early...
Scanning
===========
Source code analysis --> SonarQube
SAST --> Static application security testing --> SonarQube
DAST --> Dynamic application security testing --> Veracode
open source library scan --> scanning dependencies
image scan --> docker images scan
1. Install SonarQube scanner plugin, this enables sonarqube options in tools and system configuration
2. Configure sonarqube scanner in tools section
3. Configure sonarqube URL in system configuration including authentication
Quality Gates
=============
When sonarscan is over we need to take decission based on quality gates.
Code Coverage
20 functions --> unit test cases for 20 functions --> 100% code coverage
commit1, commit2
new code = commit2 - commit1
issues --> 0
vulnerabilities --> 0
code snells --> 0
maintability rating --> A
security rating --> A
code coverage --> min 80%
How did you integrate sonarqube in your project?
We installed SonarQube Server. We added sonarscanner plugin in our jenkins. we configured sonarscanner tool and configured sonarqube server in jenkins pipeline...
We integrate sonarqube jenkins code into our pipeline, scanner analyse the code and push to server. we configured qualitygates in sonarqube server. if quality gates fails our build also will be failed.
What is qualitygates?
To make the overall code and new code clean, we configured parameters in sonarqube server that should pass. Our parameters are
issues --> 0
vulnerabilities --> 0
code snells --> 0
maintability rating --> A
security rating --> A
code coverage --> min 80%
if the code have't passed these parameters it means code quality is failed. We integrated jenkins and sonarqube through webhook our pipeline waits for results, if qualitygates is failed we will fail the pipeline..