docker-bench-security VS SonarQube

Scanning your container images for vulnerabilities is a good approach. But this scanning is not one time job, it should be done regularly (weekly, monthly, etc.) You need to follow vulnerability reports and fix all of the vulnerabilities as soon as possible. I recommend some open-source tools that could be useful: Trivy, Docker-Bench, Grype.

For Docker configuration I have used this in the past (it utilizes the CIS Docker Benchmark): https://github.com/docker/docker-bench-security

So the main tool to scan against the CIS Docker benchmark (I'm presuming that's the one you're interested in) is https://github.com/docker/docker-bench-security .

git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh

when deploying images on cloud, I always run it thru "docker bench security" It helps finding potential security holes in my images.

Use Docker Bench for Security to audit your container images

Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

I run https://github.com/docker/docker-bench-security against my environment. I would determine what was non-applicable/not scored and then start with scored. Then I would do not scored. My team had made their own Dockerfiles when I started and just grabbed whatever image/version and getting things baselined was not fun. I had to do this for docker-compose and stay on version 2 yml as otherwise I had to go to swarm.

SonarQube (Scroll down to the Sonarqube section to see instructions on how to set up and configure SonarQube manually)

SonarQube https://www.sonarqube.org/

There are commercial tools that can be integrated into a CI pipeline and/or a developer's IDE. I've used SonarQube before, but there are others.

having a code review and analysis tool in CI/CD pipeline can help developers to keep their code clean. some examples of these tools are sonarqube and embold.

But back in 2012, tech debt-related tools were in their infancy. JetBrains released IntelliJ IDEA in 2000, and SonarQube was initially released in 2006. Stepsize started in 2015, and Visual studio intellicode wasn't made by Microsoft until 2018.

Sonarqube Source Code Repository

The generated classes should be put into .gitignore. Otherwise, if you have Checkstyle, PMD, or SonarQube in your project, then generated classes can violate some rules. Besides, if you don't put them into .gitignore, then each pull request might become huge due to the fact that even a slightest fix can lead to lots of changes in the generated classes.