Skip to main content

SonarSource Cloud (SonarQube)

Threat Assessment Overview​

SonarCloud provides comprehensive static application security testing (SAST) and code quality analysis integrated into the CI/CD pipeline to identify security vulnerabilities, code smells, and maintainability issues.

Assessment Classification​

  • Assessment Type: Static Application Security Testing (SAST) / Code Quality Analysis
  • Approach Used: Automated pipeline integration with quality gate enforcement
  • Status: Implemented
  • Date Identified: TBD
  • Date First Implemented: Implemented (Active in pipeline)
  • Date Last Reviewed: 2025-10-30
  • Date Retired: N/A

Coverage Scope​

Source Analysis:

  • All TypeScript/JavaScript source code in apps/ and packages/
  • Security vulnerability detection
  • Code quality and maintainability metrics
  • Test coverage analysis and reporting

Security Detection:

  • SQL injection vulnerabilities
  • Cross-site scripting (XSS) patterns
  • Insecure cryptographic usage
  • Authentication and authorization flaws
  • Input validation issues

Quality Metrics:

  • Code duplication detection
  • Cyclomatic complexity analysis
  • Maintainability index calculation
  • Technical debt quantification

Implementation Status​

Current State: Fully operational with pipeline enforcement Quality Gates: Active with build-breaking configuration Coverage: Comprehensive analysis of monorepo structure Automation: Complete integration with PR and main branch workflows

Success Criteria​

  • All code changes analyzed before merge
  • Quality gate compliance enforced on all builds
  • Security vulnerabilities identified and blocked
  • Test coverage maintained above defined thresholds
  • Technical debt tracked and managed

Compensating Controls​

  • Manual code review process through pull requests
  • TypeScript strict mode compilation
  • ESLint static analysis for additional code quality
  • Automated testing requirements before merge
  • ADR 0015: Addressing Node.js 16 End-of-Life in SonarCloud
  • Azure DevOps pipeline configuration
  • Monorepo build and test strategy documentation