Sonar

Sonar and JFrog are partnering to bring code quality attestations from SonarQube into JFrog as key SDLC evidence, with a seamless and integrated workflow. Evidence from SonarQube can thenRead More >

help drive evidence-based policies in JFrog, streamlining application lifecycle management and governance. Read Less >

Sonar Evidence Integration Features

Frequently Asked Questions

What is the main purpose of the JFrog and SonarQube integration?

The integration is designed to collect and verify SonarQube’s code analysis results as signed evidence and seamlessly integrate them into JFrog. This provides a unified, verifiable proof of a software’s code quality and security.

What specific information does SonarQube provide as evidence?

SonarQube generates signed evidence that includes quality gate results, security scan findings, and code coverage metrics. This information acts as a verifiable attestation that the code has met the required quality and security standards.

How does JFrog use the evidence from SonarQube?

JFrog uses the code quality attestations from SonarQube as a key input for JFrog’s evidence-based policy engine. This allows for the enforcement of application governance policies, ensuring that only software that meets predefined quality standards can progress through the supply chain.

Where is the code quality evidence stored?

The signed code quality attestations from SonarQube are stored in JFrog’s Evidence Collection. This serves as a central hub where all key evidence from across the SDLC is gathered, providing a single source of truth for audits and compliance.

How does the Sonar and JFrog integration help with software governance?

By integrating SonarQube’s verified code quality evidence, JFrog can establish robust governance over the software supply chain. It provides a reliable, data-driven mechanism to ensure that all software artifacts meet specific quality and security criteria before they are approved for release or deployment.

About Sonar

Sonar helps developers deliver high quality and secure software by analyzing code they write, AI-generated code, and code leveraged from third parties (like open source libraries). Sonar’s integrated approach to improving code quality and code security catches these issues before they make it into production, helping developers reduce technical debt and code complexity over time.