SonarQube integration

You can integrate API Security Audit with SonarQube to get audit reports on your OpenAPI files published directly part of your quality monitoring in SonarQube. As SonarQube itself is often triggered from your build server or CI/CD pipeline, this automates checking the quality of the OpenAPI definitions in your project and mitigates potential security issues. Any new files or changes that developers push to the repository are continuously audited.

For more details and to get the plugin, see CI/CD Tools.

How the integration works

Security Audit is integrated through the SonarQube plugin REST API Static Security Testing that adds OpenAPI analysis to your SonarQube analysis. When a SonarQube scanner runs, the plugin checks the quality of the OpenAPI files present in your project.

The plugin works in two phases:

• Discovery: The plugin checks your project for any .json, .yaml, and .yml files. When it finds a file, it checks if the file states that it is an OpenAPI file.
• Audit: Security Audit audits the discovered APIs for their well-formedness and security. The plugin provides a detailed report on the quality status and the found issues in SonarQube reports.

The plugin uses API tokens with specific access rights (scopes) to access 42Crunch Platform.

For more details on how to configure the integration, see Integrate Security Audit with SonarQube.