SonarQube Vs Trivy
- SonarQube = Code quality/security analysis for code itself (e.g., catching bad code practices).
It scans the code for bugs, code smells, and security vulnerabilities in static code before it's compiled or deployed.
Real-time example: If you're developing a Java web application and want to ensure that your code follows best practices (clean code), you integrate SonarQube with your CI/CD pipeline (like Jenkins). After a code push, SonarQube checks for issues like SQL injections or unoptimized code patterns.
- Trivy = Vulnerability scanning for dependencies and containers (e.g., ensuring the base Docker image is safe).
Trivy is a container vulnerability scanner.
Real-time example: If you're deploying a Docker container (say, a Node.js app), Trivy scans the container image for known vulnerabilities in libraries or system packages before pushing it to production. It helps to ensure that the base image and installed packages are secure.
Install SonarQube
sonarqube ( running public sonarqube image )
docker run -d --name sonar -p 9000:9000 sonarqube:lts-community
docker images
you can see docker image is created for sonarqube. Access via elasticip:9000.
Login via admin : admin credentials and set your own pwd.
Install Trivy
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
trivy version
trivy commands ( Good to know )
trivy scans for vunerabilities in filesystem and docker images.
The below command scans all the files in the current directory.
trivy fs .
The below command is used to scan a particular image.
trivy image imageid
