sonar-cloudformation-plugin

Cloudformation template rules (cfn-nag (https://github.com/stelligent/cfn_nag) and checkov (https://github.com/bridgecrewio/checkov) add support Cloudformation and Terraform.

Project no longer maintained, please feel free to fork !

Runtime

[] [] []

Compatibility

This plugin is compatible:

1.7.3(EOL) versions with SonarQube >= 7.6 and <= 8.9.x. (Defines cloudformation language only supports cfn-nag)
2.1.8(EOL) versions with SonarQube >= 7.9 and <= 8.9.x. (Requires json or/and yaml plugin supports cfn-nag/checkov)
3.x version with SonarQube >= 9.2 (Uses built in support for terraform/cloudformation supports cfn-nag/checkov)

Configuration of Quality profiles

The Cloudformation/Terraform rules can be added as a Quality profile to your sonar instance.

https://github.com/Hack23/sonar-cloudformation-plugin/releases

To install the plugin/profile, login to your sonar instance and download the jar from the releases page into the location below, making sure to remove any previous versions, once the plugin has downloaded, restart your sonar server to activate it.

$SONARQUBE_HOME/extensions/plugins/.

Example of how to do this with a demo docker instance:

docker run -d --name sonarqube -p 9000:9000 sonarqube:latest
docker exec -it sonarqube /bin/bash
cd /opt/sonarqube/extensions/plugins
wget https://search.maven.org/remotecontent?filepath=com/hack23/sonar/sonar-cloudformation-plugin/3.0.10/sonar-cloudformation-plugin-3.0.10.jar --no-check-certificate

Exit the docker instance

docker restart sonarqube

Access your dev sonarqube at http://localhost:9000 and you should be able to see the installed profiles

Howto

Cfn-nag reports

Prepare cfn_nag reports running

cfn_nag --output-format=json src/main/config/template.yml > target/template.yml.nag

and set the property

sonar.cfn.nag.reportFiles=target/template.yml.nag (comma separated if multiple reports)

Or scan directories using cfn_nag_scan running

cfn_nag_scan  --input-path src/main/config/ -o json -> target/cfn-nag-scan.nagscan

and set the property

sonar.cfn.nag.reportFiles=target/cfn-nag-scan.nagscan

Properties supported

sonar.cfn.nag.reportFiles=target/template.yml.nag,target/cfn-nag-scan.nagscan

One or multiple .nag or .nagscan files, note for .nag files the filename should be template filename appended with .nag and for nag_scan any filename with .nagscan suffix.

Custom cfn-nag rules or rules not yet defined

Will be mapped to "Custom cfn-nag failure rule or rule missing integration in this plugin." alt Custom cfn-nag warning rule or rule missing integration in this plugin. Assumes all failures start with uppercase F and all warnings with uppercase W.

Checkov reports

Prepare checkov reports by running, in this example we are scanning a single file 'template.yml'

checkov -f template.yml -o json --output-file-path template.checkov-report

and set the property when scanning with sonar to the checkov output

sonar.checkov.reportFiles=template.checkov-report

Properties supported

sonar.checkov.reportFiles=template.checkov-report

One or multiple checkov report files, note for .checkov-report files the filename should be template filename appended with checkov-report.

Custom checkov rules or rules not yet defined

Will be mapped to "Custom checkov failure rule or rule missing integration in this plugin." alt Custom checkov warning rule or rule missing integration in this plugin.