search

AlaskaAirlines / WC-Generator

Auro's automated web component generator
https://auro.alaskaair.com/getting-started/developers/generator/install
Apache License 2.0
5 stars 9 forks source link

Generator: Set up SonarQube #376

Open blackfalcon opened 1 year ago

blackfalcon commented 1 year ago

Is your feature request related to a problem? Please describe.

The security standard for Alaska is to use SonarQube

Describe the solution you'd like

The specification of work is as follows:

  1. Remove support for Synk, it is no longer needed
  2. Remove support for Github's CodeQL testing tools
  3. INSTALL SonarQube
  4. Add SECURITY.md file to .github dir

The recommended solution is to use the SonarQube Github action. Reach out to Alaska security to obtain the host: ${{ secrets.SONARQUBE_HOST }} and login: ${{ secrets.SONARQUBE_TOKEN }} auth tokens/secrets for the repos.

Test the workflow with an existing repo before installing into the generator. We need to ensure an end-to-end test of setting this up correctly before we can be sure that this configuration will work with a newly generated repo.

Exit criteria

This issue will be considered closed once a new repo created from the generator comes complete with these updates removing Synk and CodeQL, and installing SonarQube.

There also needs to be a strategy for updating all the Auro repos with these security settings.

blackfalcon commented 1 year ago

This work is delayed until we have tokens for SonarCube from DevSecOps. This was reviewed in a team refinement meeting today and this body of work is ready to be addressed as soon as the SonarCube token prereq is addressed.

blackfalcon commented 1 year ago

SonarQube secrets have been added to all repos as a org secret. This work is ready to be addressed.