availability

Package: Invicti AppSec Enterprise (on-premise, on-demand)

SonarCloud SAST

Invicti AppSec supports SonarCloud as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and configure the SonarCloud integration.

SonarCloud is a cloud-based code quality and security service by Sonar. It supports 30+ programming languages and integrates with popular CI/CD platforms.

Prerequisites

Before starting the integration, ensure you have the following information from your SonarCloud account:

Field	Description	Required
Token	User token generated from your SonarCloud account	Yes
Organization	Your SonarCloud organization key	Yes

info

The SonarCloud URL is automatically set to https://sonarcloud.io and does not need to be configured.

Get a Token (on SonarCloud Side)

Log in to SonarCloud at https://sonarcloud.io.
Click on your avatar (upper right-hand corner) and select My Account.
Navigate to the Security tab.
Under Generate Tokens, enter a token name.
Select the token type: User Token.
Click Generate and copy the token immediately (it won't be shown again).

Step 1: Navigate to Integrations

From the left sidebar menu, click on Integrations.

Step 2: Select the SAST Tab

On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).

Select the SAST Tab

Step 3: Find and Activate SonarCloud

Scroll through the list of SAST scanners to find SonarCloud.

If SonarCloud is not activated, you will see an "Activate" button. Click it to enable the integration.
If SonarCloud is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.

info

The scan method badge on the SonarCloud card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).

Step 4: Configure Connection Settings

Click on the gear icon on the SonarCloud card to open the configuration panel. Fill in the required fields:

Token: Paste the user token you generated from SonarCloud.
Organization: Enter your SonarCloud organization key (found in your SonarCloud organization settings).

Step 5: Test the Connection

Click the "Test Connection" button at the bottom of the configuration panel to verify that the provided credentials are correct.

If the connection is successful, the integration is ready to use.
If the connection fails, verify your Token value.
For existing integrations, you can use the "Retest Connection" button at the top of the panel.

Step 6: Advanced Settings (Optional)

Click on "Advanced Settings" to expand additional options:

Setting	Description	Default
Allow team leads to scan this instance	Permits team leads to trigger scans using this SonarCloud instance	Off
Allow team leads to create new instances	Permits team leads to create additional SonarCloud instances	Off

After modifying advanced settings, click "Save Advanced Settings" to apply changes.

Summary

Step	Action
1	Navigate to Integrations from the sidebar
2	Select the SAST tab under Scanners
3	Find SonarCloud and click Activate (if not already active)
4	Click the gear icon and fill in Token and Organization
5	Click Test Connection to verify
6	(Optional) Configure Advanced Settings for team lead permissions

Create a Scan

After activating and configuring SonarCloud, you can create scans from your project's scanner settings.

Navigate to Project Scanners

Go to your Project page.
Click on the Settings tab.
Select Scanners from the left sidebar.

Add SonarCloud Scanner

In the scanner type dropdown, select SAST.
In the scanner dropdown, search for and select SonarCloud.
Click the Add button to open the scan configuration drawer.

Scan Configuration Fields

Field	Description	Required
Environment	Select the environment for the scan (optional)	No
Bind to	Select the SonarCloud project to bind to	Yes
Branch	Specify the branch to scan	No
Meta Data	Additional metadata for the scan (optional)	No
Scan Tag	Tag to identify the scan (optional)	No
Fork Default Branch	Enable to fork the default branch before scanning	No

Scheduler

Now: Run the scan immediately after saving.
Custom Date: Schedule the scan for a specific date and time.

Webhook (Optional)

Enable webhook to trigger scans via actions taken on your application lifecycle management tool:

Check the Trigger scans via actions checkbox.
Select the Platform (e.g., GitHub, GitLab, Bitbucket).
Click Generate to create a Secret Key for webhook authentication.

KDT Command

You can also trigger SonarCloud scans from your CI/CD pipeline using KDT:

kdt scan -p <project_name> -t sonarcloud -b <branch_name>

Click Save to create the scan configuration.

Troubleshooting

Connection Fails

Invalid Token: Ensure the token has not been revoked or expired. Generate a new token from SonarCloud > My Account > Security.
Wrong Organization: Verify the Organization key matches your SonarCloud organization exactly (case-sensitive).
Network Issues: Ensure the Invicti AppSec instance can reach https://sonarcloud.io.

Scan Issues

No Projects Found: Verify the token has access to the specified organization's projects.
Branch Not Found: Ensure the branch has been analyzed in SonarCloud before attempting to import results.
Empty Results: Confirm that the SonarCloud project has completed at least one analysis.

Best Practices

Use Dedicated Tokens: Create a separate token for the Invicti AppSec integration rather than reusing personal tokens.
Rotate Tokens Regularly: Regenerate tokens periodically as part of your security practices.
Organization Naming: Use the organization key (not the display name) when configuring the integration.
Match Branch Names: Ensure branch names in Invicti AppSec match those in SonarCloud for accurate result mapping.

Limitations

Cloud-Only: SonarCloud is a cloud service. For self-hosted SonarQube, use the SonarQube integration instead.
Organization Scope: The token provides access to all projects within the specified organization.
API Rate Limits: SonarCloud may enforce rate limits on API requests for large organizations.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Prerequisites​

Get a Token (on SonarCloud Side)​

Step 1: Navigate to Integrations​

Step 2: Select the SAST Tab​

Step 3: Find and Activate SonarCloud​

Step 4: Configure Connection Settings​

Step 5: Test the Connection​

Step 6: Advanced Settings (Optional)​

Summary​

Create a Scan​

Navigate to Project Scanners​

Add SonarCloud Scanner​

Scan Configuration Fields​

Scheduler​

Webhook (Optional)​

KDT Command​

Troubleshooting​

Connection Fails​

Scan Issues​

Best Practices​

Limitations​

Need help?​