help drive evidence-based policies in JFrog, streamlining application lifecycle management and governance. Read Less >
The integration is designed to collect and verify SonarQube’s code analysis results as signed evidence and seamlessly integrate them into JFrog. This provides a unified, verifiable proof of a software’s code quality and security.
SonarQube generates signed evidence that includes quality gate results, security scan findings, and code coverage metrics. This information acts as a verifiable attestation that the code has met the required quality and security standards.
JFrog uses the code quality attestations from SonarQube as a key input for JFrog’s evidence-based policy engine. This allows for the enforcement of application governance policies, ensuring that only software that meets predefined quality standards can progress through the supply chain.
The signed code quality attestations from SonarQube are stored in JFrog’s Evidence Collection. This serves as a central hub where all key evidence from across the SDLC is gathered, providing a single source of truth for audits and compliance.
By integrating SonarQube’s verified code quality evidence, JFrog can establish robust governance over the software supply chain. It provides a reliable, data-driven mechanism to ensure that all software artifacts meet specific quality and security criteria before they are approved for release or deployment.