Support Integrations SonarQube SonarQube By following this guide, you can combine SonarQube’s code analysis capabilities with SecDim’s interactive training, providing developers with immediate, context-sensitive resources to address security issues effectively. Set Up SonarQube in Your Repository Ensure that SonarQube is configured in your repository. If it’s not already set up, you can add the SonarQube GitHub Action to your workflow to analyze your code. Generate SARIF Output Using SonarQube SonarQube does not natively produce SARIF-formatted results. However, you can use the sarif-sonarqube GitHub Action to convert SonarQube issues into a SARIF report. After running the SonarQube analysis, add the following step to generate the SARIF report: - name: Generate SonarQube SARIF report uses: benoit-sns/sarif-sonarqube@master env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: report_path: <path-to-report-task.txt> Replace <path-to-report-task.txt> with the path to the report-task.txt file generated by the SonarQube scanner. Upload the SARIF File to GitHub To visualize the SonarQube analysis results within GitHub’s Security tab, upload the SARIF file using the following step: - name: Upload SonarQube SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: sonarqube.sarif This step ensures that GitHub processes the SARIF file and displays the findings appropriately. Integrate SecDim for In-Context Training SecDim offers a GitHub Action that parses SARIF files and enriches them with links to interactive secure code training environments. Add the following step to your workflow: - name: Run SecDim Sandbox Action uses: secdim/sandbox-action@v1.0.1 with: input_sarif_file: sonarqube.sarif output_sarif_file: sonarqube.enriched.sarif This action takes the original sonarqube.sarif file, processes it to include links to relevant SecDim Sandboxes, and outputs the enriched SARIF file as sonarqube.enriched.sarif. Upload the Enriched SARIF File To ensure that the enriched SARIF file, now containing in-context training links, is uploaded to GitHub, add the following step: - name: Upload Enriched SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: sonarqube.enriched.sarif This final step uploads the enriched SARIF file, allowing developers to access interactive training directly from the identified issues within GitHub’s Security tab. Complete GitHub Actions Workflow Example Below is a complete example of a GitHub Actions workflow integrating SonarQube analysis with SecDim’s interactive training: name: SonarQube Analysis and SecDim Integration on: push: branches: [main] pull_request: branches: [main] jobs: analyze: runs-on: ubuntu-latest permissions: contents: read security-events: write steps: - name: Checkout repository uses: actions/checkout@v2 - name: SonarQube Scan uses: sonarsource/sonarqube-github-action@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - name: Generate SonarQube SARIF report uses: benoit-sns/sarif-sonarqube@master env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: report_path: <path-to-report-task.txt> - name: Upload SonarQube SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: sonarqube.sarif - name: Run SecDim Sandbox Action uses: secdim/sandbox-action@v1.0.1 with: input_sarif_file: sonarqube.sarif output_sarif_file: sonarqube.enriched.sarif - name: Upload Enriched SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: sonarqube.enriched.sarif Ensure that your repository’s secrets include the SONAR_TOKEN for authentication with SonarQube.