Connect APVISO with SonarQube

How APVISO Integrates with SonarQube

APVISO's SonarQube integration correlates runtime penetration testing findings with static code analysis results. For teams that use SonarQube to maintain code quality and security, this integration adds the critical question: "Is this code issue actually exploitable in production?"

Static and Dynamic Correlation

SonarQube performs static application security testing (SAST), analyzing source code for security vulnerabilities, code smells, and bugs without executing the application. APVISO performs dynamic application security testing (DAST) by actively probing the running application. The integration links findings across these two approaches.

When SonarQube flags a potential SQL injection in a database query and APVISO confirms that the corresponding API endpoint is vulnerable to SQL injection at runtime, the findings are correlated. This provides both the source code location (from SonarQube) and the exploitation proof (from APVISO).

Prioritization Through Exploitability

SonarQube may flag hundreds of potential security hotspots in a large codebase. Developers often struggle to prioritize these findings, especially when SonarQube cannot determine whether a flagged pattern is actually exploitable in context. APVISO's runtime testing provides this exploitability context.

When APVISO confirms that a SonarQube finding is exploitable, that finding should be prioritized for immediate remediation. SonarQube findings that APVISO cannot exploit at runtime may still warrant attention but can be scheduled for later remediation cycles.

Source Code Context for Runtime Findings

The correlation works in both directions. When APVISO discovers a runtime vulnerability, the SonarQube integration identifies the likely source code location. This means security teams can provide developers with both the exploitation evidence (from APVISO) and the exact code line to fix (from SonarQube), dramatically reducing the time from finding to fix.

Quality Gate Integration

SonarQube's quality gate concept can be extended with APVISO data. While SonarQube's native quality gate evaluates code quality metrics and static analysis findings, the integration with APVISO adds a runtime security dimension. A quality gate that passes SonarQube's static checks but fails APVISO's runtime checks should block the release.

Continuous Improvement

The correlation data between SonarQube and APVISO helps improve both tools over time. When APVISO discovers vulnerabilities that SonarQube did not flag, the security team can create custom SonarQube rules to catch similar patterns in future code reviews. This feedback loop continuously strengthens the shift-left security practice.