SonarQube for Secure SDLC and Azure DevOps Training Cursus

1. Concepts and Scope of Static Code Analysis

• Definitions: static analysis, SAST, rule categories and severity
• Scope of static analysis in secure SDLC and risk coverage
• How SonarQube fits into security controls and developer workflows

2. SonarQube Overview: Features and Architecture

• Core services, database, and scanner components
• Quality Gates, Quality Profiles, and Quality Gates best practices
• Security-related features: vulnerabilities, SAST rules, and CWE mapping

3. Navigation and Use of the SonarQube Server UI

• Server UI tour: projects, issues, rules, measures, and governance views
• Interpreting issue pages, traceability, and remediation guidance
• Report generation and export options

4. SonarScanner Configuration with Build Tools

• Setting up SonarScanner for Maven, Gradle, Ant, and MSBuild
• Best practices for scanner properties, exclusions, and multi-module projects
• Generating necessary test data and coverage reports for accurate analysis

5. Integration with Azure DevOps

• Configuring SonarQube service connections in Azure DevOps
• Adding SonarQube tasks to Azure Pipelines and PR decoration
• Importing Azure Repos into SonarQube and automating analyses

6. Project Configuration and Third-Party Analyzers

• Project-level Quality Profiles and rule selection for Java and Angular
• Working with third-party analyzers and plugin lifecycle
• Defining analysis parameters and parameter inheritance

7. Roles, Responsibilities, and Secure Development Methodology Review

• Segregation of roles: developers, reviewers, DevOps, security owners
• Constructing a roles & responsibilities matrix for CI/CD processes
• Review and recommendation process for an existing secure development methodology

8. Advanced: Adding Rules, Tuning, and Enhancing Global Security Features

• Using the SonarQube Web API to add and manage custom rules
• Adjusting Quality Gates and automated policy enforcement
• Hardening SonarQube server security and access control best practices

9. Hands-on Lab Sessions (Applied)

• Lab A: Configure SonarScanner for 5 Java repositories (Quarkus where applicable) and analyze results
• Lab B: Configure Sonar analysis for 1 Angular front-end and interpret findings
• Lab C: Full pipeline lab—integrate SonarQube with an Azure DevOps pipeline and enable PR decoration

10. Testing, Troubleshooting, and Report Interpretation

• Strategies for test data generation and coverage measurement
• Common issues and troubleshooting scanner, pipeline, and permission errors
• How to read and present SonarQube reports to technical and non-technical stakeholders

11. Best Practices and Recommendations

• Rule set selection and incremental enforcement strategies
• Workflow recommendations for developers, reviewers, and build pipelines
• Roadmap for scaling SonarQube in enterprise environments

Summary and Next Steps