SonarQube for Secure SDLC and Azure DevOps Training Course

1. Concepts and Scope of Static Code Analysis

• Definitions: static analysis, SAST, rule categories, and severity levels
• Scope of static analysis in secure software development lifecycle (SDLC) and risk management for government
• Integration of SonarQube into security controls and developer workflows

2. SonarQube Overview: Features and Architecture

• Core services, database components, and scanner functionalities
• Quality Gates, Quality Profiles, and best practices for implementing Quality Gates
• Security-related features: identifying vulnerabilities, SAST rules, and Common Weakness Enumeration (CWE) mapping

3. Navigation and Use of the SonarQube Server UI

• Tour of the server UI: projects, issues, rules, measures, and governance views for government
• Interpreting issue pages, ensuring traceability, and providing remediation guidance
• Options for generating and exporting reports

4. SonarScanner Configuration with Build Tools

• Setting up SonarScanner for Maven, Gradle, Ant, and MSBuild in government environments
• Best practices for scanner properties, exclusions, and managing multi-module projects
• Generating necessary test data and coverage reports to ensure accurate analysis

5. Integration with Azure DevOps

• Configuring SonarQube service connections within Azure DevOps for government use
• Adding SonarQube tasks to Azure Pipelines and enabling pull request (PR) decoration
• Importing Azure Repos into SonarQube and automating analyses for enhanced security

6. Project Configuration and Third-Party Analyzers

• Project-level Quality Profiles and rule selection for Java and Angular applications in government projects
• Working with third-party analyzers and managing the plugin lifecycle
• Defining analysis parameters and ensuring parameter inheritance across projects

7. Roles, Responsibilities, and Secure Development Methodology Review

• Segregation of roles: developers, reviewers, DevOps engineers, and security owners for government projects
• Constructing a roles and responsibilities matrix for continuous integration/continuous delivery (CI/CD) processes in government environments
• Review and recommendation process for an existing secure development methodology to meet government standards

8. Advanced: Adding Rules, Tuning, and Enhancing Global Security Features

• Using the SonarQube Web API to add and manage custom rules for enhanced security in government applications
• Adjusting Quality Gates and implementing automated policy enforcement for compliance with government regulations
• Hardening SonarQube server security and applying access control best practices for government use

9. Hands-on Lab Sessions (Applied)

• Lab A: Configure SonarScanner for five Java repositories (using Quarkus where applicable) and analyze results in a government context
• Lab B: Set up Sonar analysis for one Angular front-end application and interpret findings in a government setting
• Lab C: Full pipeline lab—integrate SonarQube with an Azure DevOps pipeline and enable PR decoration for government projects

10. Testing, Troubleshooting, and Report Interpretation

• Strategies for generating test data and measuring code coverage in government applications
• Common issues and troubleshooting techniques for scanner, pipeline, and permission errors in government environments
• Guidelines for reading and presenting SonarQube reports to both technical and non-technical stakeholders in government agencies

11. Best Practices and Recommendations

• Selection of rule sets and strategies for incremental enforcement in government projects
• Workflow recommendations for developers, reviewers, and build pipelines in government settings
• Roadmap for scaling SonarQube in enterprise environments within the public sector

Summary and Next Steps