Duration 3 days – 21 hrs
Overview
This hands-on training introduces SonarQube for static code analysis and code quality checks, Snyk for open-source dependency vulnerability scanning, and Checkmarx for advanced static application security testing (SAST). Participants will learn how to integrate these tools into CI/CD pipelines to detect issues early and ensure secure, maintainable, and compliant code. The course emphasizes DevSecOps best practices tailored to development and QA teams.
Objectives
- Understand the principles of code quality and application security.
- Use SonarQube to identify and fix code smells, bugs, and security hotspots.
- Use Snyk to scan for vulnerabilities in open-source libraries and containers.
- Use Checkmarx for comprehensive static code analysis.
- Integrate all tools into CI/CD pipelines for automated scanning and reporting.
- Interpret scan results and remediate findings in real-world projects.
Audience
- Software Developers
- QA Engineers
- DevSecOps Engineers
- Software Architects
- Team Leads and Technical Managers involved in secure SDLC
Pre-requisites
- Basic knowledge of software development lifecycle
- Familiarity with Git, CI/CD, and IDEs
- Understanding of source code and dependency management
- (Optional) Familiarity with JavaScript, Java, Python, or similar languages
Content
Day 1: Code Quality & Static Analysis with SonarQube
Introduction to Code Quality & Technical Debt
- Clean code principles
- Role of static analysis in Dev-QA workflows
SonarQube Overview
- SonarQube architecture: scanner, server, plugins
- Supported languages and integration options
Installing and Configuring SonarQube
- Local setup and connecting to projects
- Using SonarScanner and SonarLint
Interpreting SonarQube Reports
- Code smells, bugs, vulnerabilities, duplications
- Quality Gates and technical debt ratio
Hands-on Lab
- Run SonarQube analysis on a sample project
- Interpret and fix identified issues
Day 2: Dependency & Container Security with Snyk
Introduction to Software Composition Analysis (SCA)
- What are OSS vulnerabilities? CVEs and security databases
- Why QA and Devs must monitor dependencies
Using Snyk CLI and Web Interface
- Scanning for vulnerabilities in code, Docker, and Kubernetes
- Understanding severity, exploit maturity, and remediation advice
Fixing Vulnerabilities
- Auto-fix and manual patching
- Ignoring or accepting risk where appropriate
Snyk Integrations
- GitHub, GitLab, Jenkins, IDEs, and Docker Hub integrations
- Managing projects and policies in Snyk dashboard
Hands-on Lab
- Scan and fix vulnerabilities in a Node.js or Java project using Snyk
Day 3: Secure Code Analysis with Checkmarx + DevSecOps Integration
Secure Coding & Static Application Security Testing (SAST)
- OWASP Top 10 and real-world risks
- Why early detection is critical
Checkmarx Overview
- Capabilities and scanning flow
- Supported technologies and integration approaches
Using Checkmarx
- Uploading projects, configuring scans, and interpreting reports
- Understanding data flow analysis and security categories
CI/CD Pipeline Integration
- Automating scans in Jenkins, GitLab CI, or Azure DevOps
- Gates, thresholds, and fail criteria in pipelines
Hands-on Lab
- Run a Checkmarx scan and configure a build breaker in a pipeline
- Discuss and remediate issues collaboratively
