π Static Code Analysis Lab: SonarQube + GitLab CI/CD
As part of my upskilling in secure DevOps, I completed a hands-on lab focused on integrating SonarQube with GitLab CI/CD to perform static code analysis on a full JavaScript application. The project, called Noterdamn, simulates real-world application code management, threat modeling, and secure CI/CD practices.
π§° Tools & Technologies Used
- SonarQube (Static Code Analyzer)
- GitLab CI/CD
- JavaScript (Node.js)
- YAML & GitLab Web IDE
- JWT Security Analysis
- OWASP Top 10 Awareness
π― Project Goals
- Integrate SonarQube with a GitLab-managed JS codebase
- Automatically scan new code via GitLab pipelines
- Identify and remediate vulnerabilities before deployment
- Map findings to OWASP Top 10 categories like A2 (Cryptographic Failures) and A5 (Broken Access Control)
π§ Key Skills Demonstrated
π Static Code Analysis Integration
- Created a
sonar-project.properties file and configured a .gitlab-ci.yml pipeline script
- Removed non-compatible pipeline stages (e.g.
sonarqube-vulnerability-report) to support the self-hosted GitLab instance
- Successfully triggered SonarQube scans on every push to
main
π Vulnerability Discovery & Prioritization
- Use of weak/unsafe algorithms in JWT signature verification
- Hard-coded shared secrets vulnerable to brute-force attacks
- Command Injection risk from unsanitized shell command execution
π οΈ Secure Code Remediation
- Reviewed Security Hotspots flagged by SonarQube
- Validated and merged secure fixes from a feature branch (
Supersecured) into main
- Verified that all prior vulnerabilities were resolved post-merge with updated SonarQube scans
π Secure Coding Practices
- Applied SonarQubeβs code examples and best-practice guidelines to refactor insecure implementations
- Recommended pipeline improvements like excluding test scripts via
sonar.tests
π Outcome
- The pipeline successfully ran automated security scans using SonarQube
- Previously critical security issues were remediated and verified through updated scans
- Quality Gates were passed with no new high-severity issues introduced
- Demonstrated ability to shift security left and improve code quality in real-world workflows
π‘ Takeaways
This exercise reinforced my practical skills in:
- DevSecOps pipeline development
- Security-first coding
- Using tools like SonarQube to bring visibility and automation to code quality and vulnerability tracking
← Back to home