SonarCloud, crafted by
@SonarSource
, is the leading online service for Code Quality & Security. Free analysis for open-source projects covering 24 languages.
#Developers
, do you know how easy it is to start analyzing your
@github
repository with SonarCloud? Just log in with your GitHub account, select your projects, and wait for the analysis to end.
#CodeQuality
and
#CodeQuality
should always be that simple!
Elevate
#CodeQuality
and
#CodeSecurity
in your
@GitLab
repositories. With SonarCloud, you detect Bugs and Vulnerabilities, and get clear remediation guidance to fix them. Your code instantly gets cleaner and safer!
Automate the detection of Bugs and Vulnerabilities in your
#AzureDevOps
repositories across all branches and pull requests. Get a chance to fix issues in your code before even merging and deploying.
#codequality
#codesecurity
#codereview
Merge clean, safe code in your
@GitHub
repositories with fast, accurate feedback in your
#pullRequest
. SonarCloud helps you assess your code health and fix issues early in your development workflow.
#codequality
#codesecurity
Detect the issues in your
#pullRequest
with SonarCloud! And clean your
@GitHub
repositories from Bugs, Vulnerabilities, and Code Smells that don't belong to your code. Get started in seconds. It's free for open-source projects!
#codequality
#codesecurity
Shift Code Quality and Security left to your
#pullRequest
! SonarCloud detects the issues in your PR and development branches. You also get clear remediation guidance on fixing them. So your code instantly gets cleaner and safer.
#codequality
#codesecurity
Here’s to you
@GitHub
community: a GitHub Action that makes it even simpler to catch bugs and vulnerabilities in your Pull Requests!
Join the GitHub Actions beta, and use the SonarCloud Scan action:
Find, fix and learn from issues in your code. SonarCloud for
@Bitbucket
Cloud provides the right feedback, at the right place, at the right time. Your Code Quality and Security improves and you sharpen your
#dev
skills learning new rules along the way!
Heads-up Bitbucket users! Adding SonarCloud analysis to your pipeline just got way simpler.🤘
#bitbucketpipes
#enhanceyourworkflow
Check-out the new SonarCloud Pipe in our blog post👇
Continuous feedback on your code puts your mind in a good place! With SonarCloud for
@Bitbucket
Cloud, you're in control of Code Quality and Security in your repos. You save time and focus efforts on what matters most: developing new features.
Get continuous feedback on your code with SonarCloud for
@Bitbucket
Cloud. Find bugs and vulnerabilities in your
#pullrequest
and development branches. As of today, you'll merge clean, safe code in your Bitbucket Cloud repositories. Every time.
Scanning your projects and pull requests is also the opportunity to show your user community how much you care about quality software ❤
Check-out some featured projects 👉
We feel honored to help the
@Makair_fr
project improve the quality and security of their
#cplusplus
software! A beautiful story of 250 makers building a ventilator in only a few weeks, helping
#COVID19
patients breathe!
#makair
#makersforlife
Woot woot! Just reached 1 Billion Lines of Code 🚀
#crazygrowth
Here goes ❤️❤️to all the devs and teams that killed countless bugs and vulnerabilities along the way. 💪
Join the fun @ !
Do you know that for most languages, we can now autonomously scan your code, by simply reading it from your repository? We call that AutoScan, and we think you’ll love it! 🎉
More details here 👇
We're pleased to announce Sonar is integrated with
@Atlassian
Compass! The Sonar Quality Gate Scorecard makes it easy for Compass users to understand if their component is built with
#CleanCode
🚀✅
More information 👇
You're doing JavaScript? SonarCloud has now built-in support for
@geteslint
issues! 😎 And it's as simple as using the "sonar.eslint.reportPaths" property. Enjoy!
Once upon a time,
#Java
devs looked to the DSM to enhance their app design. Beyond code quality & security, structured code and clean architecture should are necessary pillars for
#CleanCode
We're excited to share we just got 3 new architectural rules!
Our
#Python
bug hunt in popular, well-maintained projects (
@TensorFlow
, numpy, salt, sentry and
@Biopython
) turned up interesting stuff like undefined var reference, unreachable code, and more.
Hey
#AzureDevOps
#developers
! We just added support for mono-repositories! Now, you can have one Quality Gate per project. And your comments in your PR will be tagged with the name of the related project. Let us know how that works for you!
#codequality
Ever wondered what it takes to detect tricky bugs in C++ code? 🐛
Loïc, engineer in our Language Team, and member of
@isocpp
, just blogged about the intricacies of
#cplusplus
static code analysis!
👉
Hey
#GitHub
#developers
! We just added support for mono-repositories! Now, you can have one Quality Gate per project. And your comments in your PR will be tagged with the name of the related project. Let us know how that works for you!
#codequality
Making clean code a mantra for all
@AzureDevops
users! SonarCloud decorates your Pull Requests, keeping bugs out so that you can merge with confidence!
Learn more 👉🏽
We are excited to announce that SonarSource has acquired
@ripstech
!
Joining forces in building top-notch code security analyzers, helping all dev teams deliver more secure software. 💪
#appsec
#developer
-first
Read more on our blog 👉
Import of issues from external linters with built-in support for TypeScript projects, support for the Go language, first version of the GitHub Application, ... check all what's recently been added to SonarCloud!
Hey
@telegram
, how about using SonarCloud for improving code quality and code security? Seems like we could help fix some bugs and vulnerabilities in your code. It's free for open source projects, with access to all the features! 😉
Keeping your project’s code clean and safe is a team effort! SonarCloud provides a place where you get full visibility on the status & activity of your project. You’re going to love it!
#developers
#DevOps
Developers, you now have a tool to own Code Security
And guess what? You've been using it all along!
Sonar[Qube|Cloud] gives you unparalleled precision in SAST detection without sacrificing performance.
All you have to do is make sure you're up to date
Better Code Quality for your
#JUnit
tests with a set of new rules helping you to make sure you're following the framework's best practices!
#java
#security
We’re happy to introduce everyone to
@Sonar_Research
! If you’ve been a fan of our
#security
blogs & code challenges, then follow this page! Our R&D Team can’t wait to share their next critical code vulnerabilities in high-profile projects 👨💻🔎
SonarCloud will no longer execute
#Pylint
rules! It's time to say thank you and goodbye! We have now reached a point on
#Python
analysis to where our native coding rules will get you faster, more accurate results, with fewer false-positives.
#codequality
Detect XSS vulnerabilities on DTL and Jinja2 template files! We are now analyzing Controller and HTML files in your
#Python
web apps made with
#Django
or
#Flask
.
#CodeSecurity
A more modern, consistent, and accessible
#UI
for
@SonarCloud
is born. New shapes, new colors, new fonts, consolidated layouts and components… Check it out!
@SonarSource
There is an Open Redirect vulnerability! An attacker can send a link like ?next=javascript:alert(1) or ?next=//phishing.url to redirect you to a malicious site.
Here is our solution on SonarCloud:
You want to follow the status of the service or be notified in advanced of planned maintenances? Follow our new
@sonarcld_status
Twitter account and visit !
Using SonarCloud? Want to help improve the product experience? We'd love to interview you! You'll get a $30 Amazon gift card in exchange. Fill out the form to get a chance to participate.
#usersurvey
Today we have improved the functionality of SonarCloud centered around the analysis of C/C++/Objective-C code. Read "Continuously Improving Analysis of C/C++/Objective-C Code" by
@nicoallgood
@nefarioustim
@gitlab
We contacted them a couple of times already to work together, but unfortunately it looks like they're not interested. And we prefer to concentrate on partners who are willing to build something great with us!
@IkeMtz
@AzureDevOps
We are currently indeed experiencing delay in report processing, as communicated on .
We do our best to get back to normal as soon as possible. Sorry for the inconvenience.
Old-school
#SAST
tools raise lots of issues and expect someone else to sort it out.
@SonarSource
knows
#developers
don't have time for that. When we raise a
#vulnerability
you know there's something to fix
New
#Java
#Vulnerabilites
detected through the support of more APIs! SonarCloud is getting supercharged with the integration of the RIPS-TECH configuration
@ocodista
JavaScript analysis uses ESLint, but goes far beyond and includes things like taint analysis. And if you use other languages in your project, we'll that's covered too.
Welcome aboard! 🌅
@SonarSource
This code has an Argument Injection vulnerability in line 34 via the txtPackage input field.
Executing own system commands is not possible but additional parameters can be appended to the executed "nuget" command.
Break out of
#react
-ive mode with late discovery of code flaws. Start analyzing your code with SonarCloud and fix bugs and code smells while the code is still fresh in mind!
#Javascript
#TypeScript
@SonarSource
Well done, denial of service via a user controlled regular expression (ReDoS) was what we were looking for here. Find out more about this
#vulnerability
:
Who said
#CodeQuality
&
#CodeSecurity
had to be painful? SonarCloud makes it easy for you! Our new project experience - available in beta - helps you assess your code health in seconds and support your team effort. Try it now!
How do you ensure your
#Java
pull requests are clean? In less than 3 minutes with SonarCloud you can get fast, precise feedback in your PRs. Give it a try.
@SonarSource
Well done! There was a tiny slip in the regex (line 18) that leads to a validation bypass and a Local File Inclusion (LFI) vulnerability (line 21). The dash in ".-_" allows chars in the range from "." to "_" including "../".
Find out more about LFI here:
Review your security vulnerabilities directly in
#GitHub
. SonarCloud now integrates with code scanning allowing:
> Easy code security review & prioritization
> Fast security vulnerability investigation
> Instant issue status synchronization
Try it now!
@SonarSource
This challenge was about (in)secure communication. The http:// protocol is used that enables Man-in-the-Middle attacks. And even when the protocol is changed to
https://,
the certificate validation is bypassed. Find out more here:
@SonarSource
E.g., the -Source parameter enables to install malicious packages from a remote repo, e.g. "package -Source ". Our payload is also used to create a directory name in line 31 which forbids ":". By using a long package name (>MAX_PATH) we can bypass this.
SonarCloud Product News is here! Subscribe to receive information on product releases, events, and other updates, delivered directly to your email inbox. It’s never been easier to stay in the loop for all things SonarCloud.
Subscribe below 👇
@SonarSource
In this
#csharp
code the backslash character can be used in a path traversal attack (..\) to disclose arbitrary files from the (Windows) host.
Find out more about Path Injection here:
And here goes to you
@code
users: SonarLint now supports analysis of Java code in VSCode! 🎯
Free update from the Marketplace, and you'll be catching
@java
bugs and vulnerabilities in no time.
👉