SonarQube Analysis Identity Access Management —

Q: SonarQube คืออะไร

SonarQube เป็น Open Source Code Quality และ Security Analysis Platform ตรวจจับ Bug Vulnerability Code Smell ใน Source Code รองรับ 30+ ภาษา Features Static Analysis ตรวจ Code โดยไม่ต้อง Run Security Analysis ตรวจช่องโหว่ OWASP Top 10 CWE SANS Top 25 Bug Detection หา Bug Pattern ที่อาจเกิด Runtime Error Code Smell หา Code ที่เขียนไม่ดี Maintainability ต่ำ Duplication หา Code ซ้ำ ลด Technical Debt Coverage วัด Test Coverage ต้อง > 80% Quality Gate กำหนดเกณฑ์ผ่าน/ไม่ผ่าน Block PR ที่ไม่ผ่าน Editions Community ฟรี Open Source รองรับ 15+ ภาษา Developer $150/ปี เพิ่ม Branch Analysis PR Decoration Enterprise $20,000/ปี เพิ่ม Security Report Portfolio Data Center $130,000/ปี HA Multi-node สำหรับ IAM (Identity Access Management) Code ต้องตรวจ Security เข้มงวดเป็นพิเศษ Authentication Authorization Session Management Token Handling Password Storage เป็น Critical Code

Q: IAM Security Scan ทำอย่างไร

Security Rules สำหรับ IAM Authentication Hardcoded Credentials ค้นหา Password API Key ใน Code Weak Hashing ตรวจ MD5 SHA1 ต้องใช้ bcrypt Argon2 Insecure Cookie ตรวจ HttpOnly Secure SameSite Session Fixation ตรวจ Session Regeneration หลัง Login JWT Issues ตรวจ None Algorithm Weak Secret Short Expiry Authorization IDOR ตรวจ Direct Object Reference ไม่มี Authorization Check Missing Auth Check ตรวจ Endpoint ไม่มี @Authorize Decorator Privilege Escalation ตรวจ Role Check ไม่ครบ RBAC Issues ตรวจ Role Assignment Permission Logic Input Validation SQL Injection ตรวจ Parameterized Query XSS ตรวจ Output Encoding LDAP Injection ตรวจ LDAP Query Sanitization XXE ตรวจ XML Parser Configuration Custom Rules เขียน Custom Rules สำหรับ IAM Pattern เฉพาะ ตรวจ MFA Implementation ตรวจ Rate Limiting on Auth Endpoints ตรวจ Account Lockout Logic

Q: Quality Gate ตั้งอย่างไร

Default Quality Gate (Sonar Way) New Code Coverage > 80% New Code Duplications 90% (IAM Code ต้องทดสอบมาก) Duplications 95% (Security-related Code) Penetration Test Pass (ผ่าน DAST Scan) Dependency Check Pass (ไม่มี CVE ใน Dependencies) Branch Strategy main ใช้ Strict Quality Gate feature/* ใช้ Default Quality Gate hotfix/* ใช้ Relaxed Quality Gate (Bug/Vuln = 0 เท่านั้น)

Q: CI/CD Integration ทำอย่างไร

GitHub Actions uses: SonarSource/sonarqube-scan-action กำหนด SONAR_TOKEN SONAR_HOST_URL ส่ง Report กลับ PR (PR Decoration) Block Merge ถ้าไม่ผ่าน Quality Gate GitLab CI sonar-scanner ใน Pipeline Stage กำหนด sonar.qualitygate.wait=true Fail Pipeline ถ้าไม่ผ่าน Jenkins SonarQube Scanner Plugin waitForQualityGate ใน Pipeline Webhook แจ้งผล Quality Gate กลับ Jenkins Pipeline Flow Code Push → Build → Unit Test → SonarQube Scan → Quality Gate Check → PASS → Deploy / FAIL → Block + Notify IAM Pipeline เพิ่มขั้นตอน SonarQube Scan → SAST (Semgrep/CodeQL) → Dependency Check (Snyk) → DAST (Burp/ZAP) → Quality Gate → Deploy Security Gate ทุก Step ต้องผ่าน ถ้า Step ใดไม่ผ่าน Block Deploy แจ้ง Security Team

SonarQube IAM Analysis

SonarQube Analysis Identity Access Management Code Quality Security SAST Bug Vulnerability Quality Gate CI/CD IAM Authentication Authorization

Check	IAM Category	Severity	Example
Hardcoded Credentials	Authentication	Critical	password = "admin123" in code
Weak Hashing	Authentication	Critical	MD5/SHA1 for password storage
Missing Auth Check	Authorization	Critical	Endpoint without @Authorize
SQL Injection	Input Validation	Critical	String concat in SQL query
Insecure Cookie	Session	High	Missing HttpOnly Secure flags
JWT None Algorithm	Token	Critical	Accepting alg: none in JWT

SonarQube Setup

# === SonarQube for IAM Projects ===

# Docker Setup
# docker run -d --name sonarqube \
#   -p 9000:9000 \
#   -v sonarqube_data:/opt/sonarqube/data \
#   -v sonarqube_logs:/opt/sonarqube/logs \
#   sonarqube:community
#
# sonar-project.properties
# sonar.projectKey=iam-service
# sonar.projectName=IAM Service
# sonar.sources=src
# sonar.tests=tests
# sonar.language=java
# sonar.java.binaries=target/classes
# sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
# sonar.qualitygate.wait=true
#
# Run Scanner
# sonar-scanner \
#   -Dsonar.host.url=http://localhost:9000 \
#   -Dsonar.token=sqp_xxxxx

from dataclasses import dataclass

@dataclass
class SecurityRule:
    rule_id: str
    category: str
    description: str
    severity: str
    fix: str

rules = [
    SecurityRule("S2068",
        "Authentication",
        "Hardcoded Credentials: Password API Key ใน Source Code",
        "Blocker",
        "ใช้ Environment Variable หรือ Secret Manager"),
    SecurityRule("S4790",
        "Authentication",
        "Weak Hashing: MD5 SHA1 สำหรับ Password",
        "Critical",
        "ใช้ bcrypt scrypt Argon2id"),
    SecurityRule("S3330",
        "Session",
        "Insecure Cookie: ไม่มี HttpOnly Secure Flag",
        "Major",
        "ตั้ง HttpOnly=true Secure=true SameSite=Strict"),
    SecurityRule("S5131",
        "Input Validation",
        "SQL Injection: String Concatenation ใน Query",
        "Blocker",
        "ใช้ Parameterized Query / Prepared Statement"),
    SecurityRule("S5659",
        "Token",
        "JWT: ไม่ตรวจ Signature หรือยอมรับ alg:none",
        "Blocker",
        "Verify Signature ทุกครั้ง Reject alg:none"),
    SecurityRule("S4502",
        "Authorization",
        "Missing CSRF Protection ใน State-changing Endpoint",
        "Critical",
        "เพิ่ม CSRF Token ทุก POST PUT DELETE"),
]

print("=== IAM Security Rules ===")
for r in rules:
    print(f"  [{r.rule_id}] {r.category} | Severity: {r.severity}")
    print(f"    Desc: {r.description}")
    print(f"    Fix: {r.fix}")

Quality Gate

# === IAM Quality Gate Configuration ===

# SonarQube API: Create Custom Quality Gate
# POST /api/qualitygates/create
# { "name": "IAM Strict Gate" }
#
# Add Conditions:
# POST /api/qualitygates/create_condition
# { "gateId": 1, "metric": "new_coverage", "op": "LT", "error": "90" }
# { "gateId": 1, "metric": "new_duplicated_lines_density", "op": "GT", "error": "1" }
# { "gateId": 1, "metric": "new_bugs", "op": "GT", "error": "0" }
# { "gateId": 1, "metric": "new_vulnerabilities", "op": "GT", "error": "0" }
# { "gateId": 1, "metric": "new_security_hotspots_reviewed", "op": "LT", "error": "100" }
# { "gateId": 1, "metric": "new_security_rating", "op": "GT", "error": "1" }

@dataclass
class QualityCondition:
    metric: str
    operator: str
    threshold: str
    rationale: str

conditions = [
    QualityCondition("New Code Coverage",
        "≥ 90%",
        "90% (เข้มกว่า Default 80%)",
        "IAM Code ต้องทดสอบครอบคลุม Auth Flow ทุก Path"),
    QualityCondition("New Code Duplications",
        "≤ 1%",
        "1% (เข้มกว่า Default 3%)",
        "IAM Code ต้อง DRY ลด Bug จาก Copy-paste"),
    QualityCondition("New Bugs",
        "= 0",
        "0 (ทุก Severity)",
        "IAM ไม่ยอมให้มี Bug แม้ Minor"),
    QualityCondition("New Vulnerabilities",
        "= 0",
        "0 (ทุก Severity)",
        "IAM ต้อง 0 Vulnerability เสมอ"),
    QualityCondition("Security Hotspots Reviewed",
        "= 100%",
        "100% (ทุก Hotspot ต้อง Review)",
        "Security Hotspot ใน IAM ต้อง Review ทุกตัว"),
    QualityCondition("Security Rating",
        "= A",
        "A (ไม่มี Vulnerability)",
        "IAM ต้องได้ Security Rating A เสมอ"),
]

print("=== IAM Quality Gate ===")
for c in conditions:
    print(f"  [{c.metric}] {c.operator}")
    print(f"    Threshold: {c.threshold}")
    print(f"    Rationale: {c.rationale}")

CI/CD Pipeline

# === IAM Security Pipeline ===

# GitHub Actions Example
# name: IAM Security Pipeline
# on: [push, pull_request]
# jobs:
#   security-scan:
#     runs-on: ubuntu-latest
#     steps:
#     - uses: actions/checkout@v4
#     - name: Unit Tests + Coverage
#       run: mvn test jacoco:report
#     - name: SonarQube Scan
#       uses: SonarSource/sonarqube-scan-action@v2
#       env:
#         SONAR_TOKEN: }
#         SONAR_HOST_URL: }
#     - name: Quality Gate Check
#       uses: SonarSource/sonarqube-quality-gate-action@v1
#       env:
#         SONAR_TOKEN: }
#     - name: Dependency Check (Snyk)
#       uses: snyk/actions/maven@master
#       env:
#         SNYK_TOKEN: }
#     - name: SAST (Semgrep)
#       uses: returntocorp/semgrep-action@v1
#       with:
#         config: p/owasp-top-ten

@dataclass
class PipelineStage:
    stage: str
    tool: str
    check: str
    fail_action: str

stages = [
    PipelineStage("Unit Test + Coverage",
        "JUnit + JaCoCo / Jest + Istanbul",
        "Coverage ≥ 90% All tests pass",
        "Block PR + Notify Developer"),
    PipelineStage("SonarQube SAST",
        "SonarQube Scanner",
        "Quality Gate Pass (0 Bug 0 Vuln)",
        "Block PR + PR Comment with Issues"),
    PipelineStage("Dependency Check",
        "Snyk / Dependabot / OWASP DC",
        "No Critical/High CVE in Dependencies",
        "Block PR + Create Security Ticket"),
    PipelineStage("Custom SAST",
        "Semgrep / CodeQL",
        "IAM-specific Rules Pass",
        "Block PR + Notify Security Team"),
    PipelineStage("DAST (Staging)",
        "Burp Suite / OWASP ZAP",
        "No Critical/High Findings",
        "Block Release + Security Review"),
    PipelineStage("Security Review",
        "Manual Code Review",
        "Security Team Approval",
        "Block Release until Approved"),
]

print("=== IAM Security Pipeline ===")
for s in stages:
    print(f"  [{s.stage}] Tool: {s.tool}")
    print(f"    Check: {s.check}")
    print(f"    Fail: {s.fail_action}")

เคล็ดลับ

Quality Gate: ตั้ง IAM Strict Gate เข้มกว่า Default 0 Vuln 0 Bug
Hotspot: Review Security Hotspot 100% สำหรับ IAM Code
Coverage: ตั้ง Coverage ≥ 90% สำหรับ Auth Authorization Code
Custom Rules: เขียน Custom Rules ตรวจ MFA Rate Limit Lockout
Pipeline: ใส่ SonarQube + Snyk + Semgrep + DAST ครบทุก Stage

SonarQube คืออะไร

Open Source Code Quality Security SAST Bug Vulnerability Code Smell Coverage Quality Gate 30+ Languages Community Developer Enterprise

IAM Security Scan ทำอย่างไร

Hardcoded Credentials Weak Hashing Insecure Cookie SQL Injection JWT CSRF IDOR Missing Auth RBAC Custom Rules MFA Rate Limit

Quality Gate ตั้งอย่างไร

IAM Strict Coverage 90% Duplications 1% Bugs 0 Vulnerabilities 0 Hotspots 100% Security Rating A Branch Strategy Custom Metrics

CI/CD Integration ทำอย่างไร

GitHub Actions GitLab CI Jenkins SonarQube Scanner Snyk Semgrep CodeQL Burp ZAP Quality Gate Block PR Pipeline Security Review

สรุป

SonarQube Analysis IAM Security SAST Quality Gate Coverage Vulnerability Bug CI/CD Snyk Semgrep DAST Pipeline Authentication Authorization

SonarQube Analysis Identity Access Management