Configure Connection Details of Security Assessment Tools

Continuous container security and code quality assessment is an integral part of a DevSecOps development environment. A code quality inspection tool helps developers continuously analyze and improve the quality of the source code by identifying bugs, duplications, security vulnerabilities, and code smells. A container security tool scans container images and related components to detect security vulnerabilities and potential security threats.

You can provide the connection details of your code quality inspection and container security tools in the Lazsa Platform and save your configurations. When you add or edit a stage in the Deploy phase of your product development life cycle, you can select these saved configurations in the stage details. Code quality analysis and container security scans are triggered by using these configurations during the deployment process in the Jenkins CI/CD pipeline from within the Lazsa Platform.

The Lazsa Platform currently supports the following security assessment tools:

• SonarQube

• Qualys Cloud Platform

To provide the connection details of your active accounts of these security assessment tools in the Lazsa Platform, perform these steps:

1. Sign in to the Lazsa Platform and click Configuration in the left navigation pane.

2. On the Platform Setup screen, on the Cloud Platform, Tools & Technologies tile, click Configure.
3. On the Cloud Platform, Tools & Technologies screen, in the Security Assessment section, click Configure.

   (After you save connection details for at least one security assessment tool, you see the Modify button here.)

   

4. On the Security Assessment screen, click the SonarQube tile or the Qualys tile to configure the connection properties of your active accounts for these tools.

   

   SonarQube

   Ensure that you complete the following prerequisites before you save the connection details for your SonarQube cloud and on-premises accounts:

   Prerequisites

   SonarQube on-premises

   Tool	User Input required in Lazsa	Required Permissions	Additional Details
   SonarQube on-premises	URL Admin Username Token	Write	Get all projects

    

   Sonar Cloud

   Tool	User Input required in Lazsa	Required Permissions	Additional Details
   SonarCloud	URL Admin Username Token Organization Details	Write	Get all projects

    

   To save the connection properties of your SonarQube account, provide the following details:

   1. Configuration Name: Give a name to your configuration. Your SonarQube connection details are saved by this name in the Lazsa Platform.

   2. SonarQube URL: Provide your SonarQube host URL.

   3. Installation Type: Depending on whether you use self-managed SonarQube or cloud-based SonarCloud as a service, choose the type of your Sonar product installation.

      • On-Premises

      • Cloud

   4. To provide your SonarQube or SonarCloud account credentials, do one of the following:

      • Connect using Lazsa Orchestrator Agent:

        Turn on this toggle to use Lazsa Orchestrator Agent to programmatically retrieve the credential values stored in your secrets management tool within your private network and to establish communication with your SonarQube or SonarCloud instance.

        In the Lazsa Orchestrator Agent dropdown list, all your configured agents are displayed. Select the one you want to use to connect to your SonarQube or SonarCloud instance.

        The secrets management tool that the selected Orchestrator Agent is authorized to access for retrieving secrets is auto-selected. Specify the details of SonarQube or SonarCloud secrets that the agent should retrieve from the secrets management tool. Currently, we support AWS Secrets Manager and Azure Key Vault.

        For AWS Secrets Manager, provide the secret name, username key, and password key for your SonarQube or SonarCloud credentials.

        

        For Azure Key Vault, provide the Vault Name, Username Secret, and Password Secret for your SonarQube or SonarCloud account credentials.
        

        
        

      • Select Secret Manager

        If you don't use the Lazsa Orchestrator Agent, you can directly provide your SonarQube or SonarCloud credentials in the configuration, or retrieve it from a secrets management tool of your choice (such as AWS Secrets Manager or Azure Key Vault). Do one of the following:

        • Select Lazsa and type your SonarQube or SonarCloud account password. In this case, the credentials are securely stored in the Lazsa-managed secrets store.
        • Select AWS Secrets Manager. In the Secrets Management Tool dropdown list, the AWS Secrets Manager configurations that you save and activate in the Secret Management section on the Cloud Platform, Tools & Technologies screen are listed for selection. Select the configuration of your choice. Provide the Secret Name, Username Key, and the Password Key for the Lazsa Platform to retrieve the secrets.
        • Select Azure Key Vault. In the Vault Configuration dropdown list, the Azure Key Vault configurations that you save and activate in the Secret Management section on the Cloud Platform, Tools & Technologies screen are listed for selection. Select the configuration of your choice. Provide the Vault Name, Username Secret, and Password Secret for the Lazsa Platform to retrieve the credential values.
   5. For SonarCloud installation, provide the Organization Key that you have set in SonarCloud.
   6. Secure configuration details with a password
      To password-protect your connection details, enable the Secure configuration details with a password option, enter a password, and then retype it to confirm.

      This is optional but recommended. When you share the connection details with multiple users, password protection helps you ensure authorized access to the connection details.

   7. Test Connection
      Click Test Connection to check if you can connect to the configured SonarQube account successfully.

   8. After you save and activate the configured connection details, you can see them listed on the Cloud Platform, Tools & Technologies screen.

   Qualys

   Prerequisites

   • To incorporate Qualys vulnerability scans into the Jenkins CI/CD pipeline (the default CI/CD tool used in the Lazsa Platform) install the Qualys Web App Scanning Connector for Jenkins into your Jenkins instance.

   • Install Qualys container scan agent on the Jenkins Master/Slave machine (the environment where Jenkins is running) with CI/CD enabled flag.

   To save the connection properties of your Qualys account, provide the following details :

   1. Configuration Name: Give a name to your configuration. Your Qualys connection details are saved by this name in the Lazsa Platform.

   2. Qualys Platform: Select the platform identifier where your Qualys account is located.

   3. Qualys Server URL: The URL of your Qualys API server is auto-populated depending on your selection of the Qualys platform.

   4. To provide your Qualys account credentials, do one of the following:

      • Connect using Lazsa Orchestrator Agent:

        Turn on this toggle to use Lazsa Orchestrator Agent to programmatically retrieve the Qualys credential values stored in your secrets management tool within your private network and to establish communication with your Qualys instance.

        In the Lazsa Orchestrator Agent dropdown list, all your configured agents are displayed. Select the one you want to use to connect to your Qualys instance.

        The secrets management tool that the selected Orchestrator Agent is authorized to access for retrieving secrets is auto-selected. Specify the details of Qualys secrets that the agent should retrieve from the secrets management tool. Currently, we support AWS Secrets Manager and Azure Key Vault.

        For AWS Secrets Manager, provide the secret name, username key, and password key for your Qualys credentials.

        

        For Azure Key Vault, provide the Vault Name, Username Secret, and Password Secret for your Qualys account credentials.
        

        
        

      • Select Secret Manager

        If you don't use the Lazsa Orchestrator Agent, you can directly provide your Qualys credentials in the configuration, or retrieve it from a secrets management tool of your choice (such as AWS Secrets Manager or Azure Key Vault). Do one of the following:

        • Select Lazsa and type your Qualys account username and password. In this case, the user credentials are securely stored in the Lazsa-managed secrets store.
        • Select AWS Secrets Manager. In the Secrets Management Tool dropdown list, the AWS Secrets Manager configurations that you save and activate in the Secret Management section on the Cloud Platform, Tools & Technologies screen are listed for selection. Select the configuration of your choice. Provide the Secret Name, Username Key, and the Password Key for the Lazsa Platform to retrieve the secrets.
        • Select Azure Key Vault. In the Vault Configuration dropdown list, the Azure Key Vault configurations that you save and activate in the Secret Management section on the Cloud Platform, Tools & Technologies screen are listed for selection. Select the configuration of your choice. Provide the Vault Name, Username Secret, and Password Secret for the Lazsa Platform to retrieve the credential values.
   5. Secure configuration details with a password
      To password-protect your Qualys account connection details, enable the Secure configuration details with a password option, enter a password, and then retype it to confirm.

      This is optional but recommended. When you share the connection details with multiple users, password protection helps you ensure authorized access to the connection details.

   6. Test Connection
      Click Test Connection to check if you can connect to the configured Qualys platform instance successfully.

   7. After you save and activate the configured connection details, you can see them listed on the Cloud Platform, Tools & Technologies screen.