Developers need to balance speed and governance

Software engineering leaders face a constant tension: the demand to accelerate innovation versus the non-negotiable need for security and compliance. This demand is being amplified by AI, as AI coding assistants boost their team's output and the resulting volume and churn of code puts immense strain on governance, risk, and compliance (GRC) processes. Developer teams can't afford to be slowed down by the manual, error-prone compliance checks that are buckling under this new velocity; this is the "engineering productivity paradox."

The new strategic partnership between Sonar and JFrog directly addresses this challenge. By integrating SonarQube's industry-leading automated code review with JFrog's new AppTrust governance platform, together we are providing the essential framework for software engineering teams to embrace AI-driven speed without compromising on control. This alliance is built to help solve the engineering productivity paradox, enabling consistent delivery of secure, high-quality software faster than ever.

Two trusted solutions, now unified

Our collaboration brings two solutions together: SonarQube for code quality and security, and JFrog Artifactory for artifact management. This partnership is designed to create a single, authoritative 'code-to-deploy' solution for the entire software development lifecycle (SDLC). The goal is to provide organizations with a single, integrated source of truth for software quality and security, eliminating the friction between the tools developers use and the systems that operations and security teams rely on.

When critical code quality data from SonarQube is disconnected from the binary artifacts managed in JFrog, engineering teams must bridge the gap with manual processes and custom scripts. This partnership closes that gap, creating an unbroken chain of evidence from the first line of code to the final release. The result is a pre-integrated, end-to-end solution that streamlines workflows and strengthens the software supply chain.

Automated governance with JFrog AppTrust and SonarQube

Coinciding with this partnership, JFrog is launching AppTrust, a "DevGovOps" solution for software release governance. AppTrust is a framework for automating compliance, establishing an evidence system of record, and enforcing quality and security policies. This ensures that no software is shipped without meeting predefined criteria.

A governance platform is only as good as the evidence it contains. That's why Sonar is a crucial launch partner for AppTrust. Sonar provides the most critical piece of "shift-left" evidence: a definitive, verifiable attestation of the code's quality and security state. With Sonar's trusted analysis results automatically feeding into AppTrust, development teams can be confident that governance policies are universally applied.

How the Sonar-JFrog integration works

The SonarQube-AppTrust integration is engineered to be powerful yet non-disruptive, fitting directly into existing developer CI/CD workflows. The entire process is orchestrated by a job within the pipeline that runs the JFrog CLI, designed to handle the evidence lifecycle without adding complexity or delays.

Here’s a step-by-step look at the workflow:

1. Evidence retrieval: As the SonarQube analysis runs, the JFrog CLI job checks a new, purpose-built SonarQube API endpoint for the results. Once finished, the SonarQube endpoint provides a detailed evidence payload. This includes the critical quality gate status and conditions in a structured format, as well as a human-readable markdown summary for easy viewing within the JFrog UI.
2. Cryptographic signing: To ensure the integrity and authenticity of the evidence, the JFrog CLI cryptographically signs the payload. This creates a verifiable, tamper-proof attestation that can be trusted by auditors and automated governance policies.
3. Attaching to the artifact: The final step is to attach this signed evidence directly to the corresponding software artifact—be it a package, build-info, or release-bundle—within JFrog Artifactory.

The result is a complete, irrefutable audit trail linking code quality and security directly to the compiled binary. This provides robust, automated governance to ensure compliance is achieved at the speed of modern development.

Empower teams with speed and control

This integrated solution moves the organization beyond the trade-off between speed and control, delivering tangible benefits that directly address the challenges they face.

• For devops and platform teams: The integration replaces brittle, high-maintenance scripts with a resilient, automated process for evidence collection, improving pipeline reliability and velocity.
• For GRC and security officers: It provides streamlined access to immutable evidence of SonarQube’s code quality and security analysis, transforming audit preparation from a manual, multi-system scramble into a push-button process.
• For the CISO: Automated, consistent enforcement of security standards, providing verifiable proof that every production artifact has passed its SonarQube quality gate and originated from secure, high quality code.
• For developers: The process is entirely transparent. They get fast feedback from Sonar in their IDE and CI process, and can leverage AI tools to innovate, knowing that compliance is handled automatically downstream without adding friction to their workflow.

A future-proof platform for the SDLC

Sonar’s integration with JFrog AppTrust is available now for Enterprise plans of SonarQube Cloud, with support for SonarQube Server planned later this year. This initial integration marks the beginning of a strategic, long-term partnership between Sonar and JFrog to help our customers build trust into every line of code as they adopt AI coding solutions. Together, we aim to provide organizations with solutions that not only address current challenges but also foster a more efficient, secure, and resilient SDLC for the future.

*** This is a Security Bloggers Network syndicated blog from Blog RSS feed authored by Jeff Clawson. Read the original post at: https://www.sonarsource.com/blog/analysis-evidence-from-sonarqube-now-available-in-jfrog-apptrust/