SonarQube Analysis Identity Access Management —
SonarQube IAM Analysis
SonarQube Analysis Identity Access Management Code Quality Security SAST Bug Vulnerability Quality Gate CI/CD IAM Authentication Authorization
| Check | IAM Category | Severity | Example |
|---|---|---|---|
| Hardcoded Credentials | Authentication | Critical | password = "admin123" in code |
| Weak Hashing | Authentication | Critical | MD5/SHA1 for password storage |
| Missing Auth Check | Authorization | Critical | Endpoint without @Authorize |
| SQL Injection | Input Validation | Critical | String concat in SQL query |
| Insecure Cookie | Session | High | Missing HttpOnly Secure flags |
| JWT None Algorithm | Token | Critical | Accepting alg: none in JWT |
SonarQube Setup
# === SonarQube for IAM Projects ===
# Docker Setup
# docker run -d --name sonarqube \
# -p 9000:9000 \
# -v sonarqube_data:/opt/sonarqube/data \
# -v sonarqube_logs:/opt/sonarqube/logs \
# sonarqube:community
#
# sonar-project.properties
# sonar.projectKey=iam-service
# sonar.projectName=IAM Service
# sonar.sources=src
# sonar.tests=tests
# sonar.language=java
# sonar.java.binaries=target/classes
# sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
# sonar.qualitygate.wait=true
#
# Run Scanner
# sonar-scanner \
# -Dsonar.host.url=http://localhost:9000 \
# -Dsonar.token=sqp_xxxxx
from dataclasses import dataclass
@dataclass
class SecurityRule:
rule_id: str
category: str
description: str
severity: str
fix: str
rules = [
SecurityRule("S2068",
"Authentication",
"Hardcoded Credentials: Password API Key ใน Source Code",
"Blocker",
"ใช้ Environment Variable หรือ Secret Manager"),
SecurityRule("S4790",
"Authentication",
"Weak Hashing: MD5 SHA1 สำหรับ Password",
"Critical",
"ใช้ bcrypt scrypt Argon2id"),
SecurityRule("S3330",
"Session",
"Insecure Cookie: ไม่มี HttpOnly Secure Flag",
"Major",
"ตั้ง HttpOnly=true Secure=true SameSite=Strict"),
SecurityRule("S5131",
"Input Validation",
"SQL Injection: String Concatenation ใน Query",
"Blocker",
"ใช้ Parameterized Query / Prepared Statement"),
SecurityRule("S5659",
"Token",
"JWT: ไม่ตรวจ Signature หรือยอมรับ alg:none",
"Blocker",
"Verify Signature ทุกครั้ง Reject alg:none"),
SecurityRule("S4502",
"Authorization",
"Missing CSRF Protection ใน State-changing Endpoint",
"Critical",
"เพิ่ม CSRF Token ทุก POST PUT DELETE"),
]
print("=== IAM Security Rules ===")
for r in rules:
print(f" [{r.rule_id}] {r.category} | Severity: {r.severity}")
print(f" Desc: {r.description}")
print(f" Fix: {r.fix}")Quality Gate
# === IAM Quality Gate Configuration ===
# SonarQube API: Create Custom Quality Gate
# POST /api/qualitygates/create
# { "name": "IAM Strict Gate" }
#
# Add Conditions:
# POST /api/qualitygates/create_condition
# { "gateId": 1, "metric": "new_coverage", "op": "LT", "error": "90" }
# { "gateId": 1, "metric": "new_duplicated_lines_density", "op": "GT", "error": "1" }
# { "gateId": 1, "metric": "new_bugs", "op": "GT", "error": "0" }
# { "gateId": 1, "metric": "new_vulnerabilities", "op": "GT", "error": "0" }
# { "gateId": 1, "metric": "new_security_hotspots_reviewed", "op": "LT", "error": "100" }
# { "gateId": 1, "metric": "new_security_rating", "op": "GT", "error": "1" }
@dataclass
class QualityCondition:
metric: str
operator: str
threshold: str
rationale: str
conditions = [
QualityCondition("New Code Coverage",
"≥ 90%",
"90% (เข้มกว่า Default 80%)",
"IAM Code ต้องทดสอบครอบคลุม Auth Flow ทุก Path"),
QualityCondition("New Code Duplications",
"≤ 1%",
"1% (เข้มกว่า Default 3%)",
"IAM Code ต้อง DRY ลด Bug จาก Copy-paste"),
QualityCondition("New Bugs",
"= 0",
"0 (ทุก Severity)",
"IAM ไม่ยอมให้มี Bug แม้ Minor"),
QualityCondition("New Vulnerabilities",
"= 0",
"0 (ทุก Severity)",
"IAM ต้อง 0 Vulnerability เสมอ"),
QualityCondition("Security Hotspots Reviewed",
"= 100%",
"100% (ทุก Hotspot ต้อง Review)",
"Security Hotspot ใน IAM ต้อง Review ทุกตัว"),
QualityCondition("Security Rating",
"= A",
"A (ไม่มี Vulnerability)",
"IAM ต้องได้ Security Rating A เสมอ"),
]
print("=== IAM Quality Gate ===")
for c in conditions:
print(f" [{c.metric}] {c.operator}")
print(f" Threshold: {c.threshold}")
print(f" Rationale: {c.rationale}")CI/CD Pipeline
# === IAM Security Pipeline ===
# GitHub Actions Example
# name: IAM Security Pipeline
# on: [push, pull_request]
# jobs:
# security-scan:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v4
# - name: Unit Tests + Coverage
# run: mvn test jacoco:report
# - name: SonarQube Scan
# uses: SonarSource/sonarqube-scan-action@v2
# env:
# SONAR_TOKEN: }
# SONAR_HOST_URL: }
# - name: Quality Gate Check
# uses: SonarSource/sonarqube-quality-gate-action@v1
# env:
# SONAR_TOKEN: }
# - name: Dependency Check (Snyk)
# uses: snyk/actions/maven@master
# env:
# SNYK_TOKEN: }
# - name: SAST (Semgrep)
# uses: returntocorp/semgrep-action@v1
# with:
# config: p/owasp-top-ten
@dataclass
class PipelineStage:
stage: str
tool: str
check: str
fail_action: str
stages = [
PipelineStage("Unit Test + Coverage",
"JUnit + JaCoCo / Jest + Istanbul",
"Coverage ≥ 90% All tests pass",
"Block PR + Notify Developer"),
PipelineStage("SonarQube SAST",
"SonarQube Scanner",
"Quality Gate Pass (0 Bug 0 Vuln)",
"Block PR + PR Comment with Issues"),
PipelineStage("Dependency Check",
"Snyk / Dependabot / OWASP DC",
"No Critical/High CVE in Dependencies",
"Block PR + Create Security Ticket"),
PipelineStage("Custom SAST",
"Semgrep / CodeQL",
"IAM-specific Rules Pass",
"Block PR + Notify Security Team"),
PipelineStage("DAST (Staging)",
"Burp Suite / OWASP ZAP",
"No Critical/High Findings",
"Block Release + Security Review"),
PipelineStage("Security Review",
"Manual Code Review",
"Security Team Approval",
"Block Release until Approved"),
]
print("=== IAM Security Pipeline ===")
for s in stages:
print(f" [{s.stage}] Tool: {s.tool}")
print(f" Check: {s.check}")
print(f" Fail: {s.fail_action}")เคล็ดลับ
- Quality Gate: ตั้ง IAM Strict Gate เข้มกว่า Default 0 Vuln 0 Bug
- Hotspot: Review Security Hotspot 100% สำหรับ IAM Code
- Coverage: ตั้ง Coverage ≥ 90% สำหรับ Auth Authorization Code
- Custom Rules: เขียน Custom Rules ตรวจ MFA Rate Limit Lockout
- Pipeline: ใส่ SonarQube + Snyk + Semgrep + DAST ครบทุก Stage
SonarQube คืออะไร
Open Source Code Quality Security SAST Bug Vulnerability Code Smell Coverage Quality Gate 30+ Languages Community Developer Enterprise