SonarSource/sonar-iac

View on GitHub by @SonarSource

Static Code Analyser for Infrastructure-as-Code languages such as CloudFormation and Terraform as well as DevOps like Docker and Kubernetes

What's novel

Static Code Analyser for Infrastructure-as-Code languages such as CloudFormation and Terraform as well as DevOps like Docker and Kubernetes

Code Analysis

5 files read · 7 rounds

A static code analyzer for Infrastructure-as-Code (IaC) that integrates with SonarQube to scan Kubernetes, Terraform, CloudFormation, Dockerfiles, and Helm charts for security vulnerabilities and code quality issues.

Strengths

Excellent modularity with clear separation between the Java plugin and language-specific extensions. Strong test coverage with dedicated fixtures for edge cases (parsing errors, invalid ranges). The Go integration for Helm template evaluation demonstrates thoughtful polyglot architecture.

Weaknesses

Some error handling could be more explicit in certain parser implementations. The reliance on external tools like cfn-lint requires careful dependency management during builds.

Score Breakdown

Innovation

3 (25%)

Craft

88 (35%)

Traction

52 (15%)

Scope

96 (25%)

Signal breakdown

Innovation

Not Fork+1

Code Novelty+1

Concept Novelty+0

Craft

Ci+5

Tests+8

Polish+2

Releases+4

Has License+5

Code Quality+27

Readme Quality+15

Recent Activity+7

Structure Quality+5

Commit Consistency+5

Has Dependency Mgmt+5

Traction

Forks+17

Stars+20

Hn Points+0

Watchers+10

Early Traction+0

Devto Reactions+0

Community Contribs+5

Scope

Commits+8

Languages+8

Subsystems+15

Bloat Penalty+0

Completeness+7

Contributors+8

Authored Files+15

Readme Code Match+3

Architecture Depth+7

Implementation Depth+8

Evidence

Commits

362

Contributors

Files

3231

Active weeks

TestsCI/CDREADMELicenseContributing

Repository

Language

Java

Stars

Forks

License

NOASSERTION