Static Application Security Testing
Analyzing the source code before compilation provides a highly scalable method of security code review and helps ensure that secure coding policies are being followed.
SonarQube is an open-source platform that helps teams manage code quality. It provides a centralized location for developers to analyze and manage their code's quality and security, and detect bugs, vulnerabilities, and potential issues in the codebase. The platform supports multiple programming languages, and it offers a range of features including code analysis, coverage, duplication detection, and code smell detection. It also offers integration with various build systems and continuous integration tools, making it easier to incorporate code quality checks into your development process. Overall, SonarQube helps teams to ensure that their code meets industry standards, reducing technical debt and improving the overall quality and maintainability of their codebase.
This should be 95% or higher and 0 Code Smells. If it is lower, you should investigate the issues and fix them. The SonarQube dashboard will show you the details of the issues. There are two types of issues: bugs and vulnerabilities. Bugs are problems in the code that can cause a crash or other unexpected behavior. Vulnerabilities are problems in the code that can be exploited by an attacker.
CodeQL should run on every push the main/master branch of the repository.