Integrations / Sonar

Sonar

Sonar and JFrog are partnering to bring code quality attestations from SonarQube into JFrog as key SDLC evidence, with a seamless and integrated workflow. Evidence from SonarQube can thenRead More >

help drive evidence-based policies in JFrog AppTrust, streamlining application lifecycle management and governance. Read Less >

Start Free Book a Demo

Sonar Evidence Integration Features

Verified Proof of Code Quality

SonarQube’s static code analysis is integrated into JFrog CLI to generate signed evidence containing quality gate results, security scan findings, and code coverage metrics.

Code Quality Attestations Integrated into Unified Evidence Collection

SonarQube’s signed code quality attestations are seamlessly integrated into JFrog Evidence Collection as verifiable proof of software meeting quality standards – alongside all other key evidence across the SDLC. 

Code Quality as a Driver for Application Governance

JFrog AppTrust ingests Sonar’s code quality attestations as key evidence driving its evidence-based policy engine, establishing governance over the software supply chain.

Documentation
Availability
Learn More
  • Enterprise+
Related Product
  • JFrog Platform
  • JFrog AppTrust
  • JFrog Evidence Collection
Related Integration
ServiceNow
GitHub Artifact Attestations
Develocity Provenance Governor
CoGuard Infrastructure Management

Frequently Asked Questions

What is the main purpose of the JFrog and SonarQube integration?

The integration is designed to collect and verify SonarQube’s code analysis results as signed evidence and seamlessly integrate them into JFrog AppTrust. This provides a unified, verifiable proof of a software’s code quality and security.

What specific information does SonarQube provide as evidence?

SonarQube generates signed evidence that includes quality gate results, security scan findings, and code coverage metrics. This information acts as a verifiable attestation that the code has met the required quality and security standards.

How does JFrog use the evidence from SonarQube?

JFrog uses the code quality attestations from SonarQube as a key input for JFrog AppTrust’s evidence-based policy engine. This allows for the enforcement of application governance policies, ensuring that only software that meets predefined quality standards can progress through the supply chain.

Where is the code quality evidence stored?

The signed code quality attestations from SonarQube are stored in JFrog’s Evidence Collection. This serves as a central hub where all key evidence from across the SDLC is gathered, providing a single source of truth for audits and compliance.

How does the Sonar and JFrog integration help with software governance?

By integrating SonarQube’s verified code quality evidence, JFrog can establish robust governance over the software supply chain. It provides a reliable, data-driven mechanism to ensure that all software artifacts meet specific quality and security criteria before they are approved for release or deployment.

About Sonar

Sonar helps developers deliver high quality and secure software by analyzing code they write, AI-generated code, and code leveraged from third parties (like open source libraries). Sonar’s integrated approach to improving code quality and code security catches these issues before they make it into production, helping developers reduce technical debt and code complexity over time.
Learn More