You can ingest SAST findings directly from SonarQube into Cortex Cloud Application Security. This allows you to use Cortex Cloud Application Security's analysis and visualization tools to identify critical vulnerabilities, prioritize remediation efforts, and improve your application code security.
Prerequisite
Ensure that you have onboarded a version control system (such as GitHub, GitLab) and have connected repositories
SonarQube and SonarCloud setup:
Token requirements: The API token for both SonarCloud and SonarQube (Self-Hosted) must be generated by a user with Organization Admin permissions.
Note
Using a token with a lower permission level will cause No organization found errors during onboarding.
Token scopes: When generating the SonarQube API token, you must assign the Web API. Refer to the SonarQube documentation for more information
Note
The egress path is required for onboarding a self-hosted instance of SonarQube.
Onboarding steps
Search for and hover over Sonarqube and click Add, or Add Another Instance if an instance is already onboarded.
On the Configure Integration step of the integration wizard:
Fill in the provided fields:
API Token: Paste the generated SonarQube API token
URL and Port: Provide the URL of your SonarQube instance. Port is optional
Organization: The SonarQube organization to be associated with the data ingestion. Required for SonarQube Cloud
Click .
On the Select Applications step of the integration wizard:
Select an option:
Accept the displayed mapping as detected by Cortex Cloud Application Security. This does not require any action on your part
Manually configure mapping if Cortex Cloud Application Security could not match a project to a repository: Select Set in the Cortex Cloud Application Security Repository column, and select a repository from the list that is displayed
Automatically map future SonarQube projects
Manually modify mapping: Click Replace next to the existing mapped Cortex Cloud Application Security repository. This will open an option to select a different repository from the displayed list, allowing you to update the mapping
Note
Mapping establishes relationships between SonarQube Applications and Cortex Cloud Application Security code repositories, simplifying access management and enabling risk analysis at the repository level, including displaying findings on the tenant
Only mapped projects will be ingested
Click .
Select Close on the Status step of the wizard to complete the integration, initiating an automatic ingestion of data from the integrated SonarQube projects.
Note
Verify that the Connector Created Successfully message is displayed on the page.
Verify integration and confirm that the your integrated SonarQube instance has a status of Connected.
On the Data Sources & Integrations page, search for SonarQube.
Hover over and select the resulting entry.
Locate and verify that the status of your SonarQube instance is Connected.
Manage data source integrations
Manage integrations to align with evolving requirements and ensure they remain current.
Navigate to → and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
: When confirmed, deletes the instance, including data from previous scans
Copy entire row – Copies all column values for the selected row to the clipboard.
View SAST code weaknesses generated from ingested SonarQube findings
You can view SAST code weaknesses generated from ingested SonarQube findings:
On the Code Weaknesses page under Cortex Cloud Application Security Issues
Under the Code Weaknesses tab of the Repositories assets page
For more information on SAST code weaknesses, refer to SAST code weaknesses (CWEs).