Summary

The repository covers Semgrep and Bandit for SAST, but SonarQube/SonarCloud occupies a distinct niche: it is the dominant enterprise SAST platform used in gated CI pipelines via Quality Gates, and many organizations run it alongside Semgrep (complementary rule sets, different false-positive profiles). A SonarQube skill would fill this gap and cover the large portion of the industry running Sonar in their pipelines.

Requested Skill: appsec/sast-sonarqube

What to Cover

Core workflows:

1. Scan with sonar-scanner CLI

sonar-scanner \
  -Dsonar.projectKey=my-project \
  -Dsonar.sources=src \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.token=$SONAR_TOKEN

2. Quality Gate enforcement in CI — fail the build when the Quality Gate does not pass

# Poll until analysis complete, fail if gate fails
sonar-scanner ... && \
  curl -s "$SONAR_HOST/api/qualitygates/project_status?projectKey=my-project" \
    -u "$SONAR_TOKEN:" | jq -e '.projectStatus.status == "OK"'

3. Triage findings via API — pull Security Hotspots and Vulnerabilities for triage

curl "$SONAR_HOST/api/hotspots/search?projectKey=my-project&status=TO_REVIEW"
curl "$SONAR_HOST/api/issues/search?projectKey=my-project&types=VULNERABILITY&severities=CRITICAL,BLOCKER"

4. Export to DefectDojo — convert Sonar JSON output for unified vulnerability tracking

Key Differentiators vs. Semgrep

Frameworks

• OWASP Top 10 (A03 Injection, A07 ID & Auth Failures)
• CWE Top 25 Most Dangerous Software Weaknesses
• SANS Top 25
• MISRA C/C++ (embedded)
• PCI-DSS Req 6.3 (secure development)

SonarCloud (SaaS variant)

Include workflow for SonarCloud (no self-hosted server required):

- uses: SonarSource/sonarcloud-github-action@master
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}