DEV Community: Mathias Conradt

SonarQube Stackhawk DAST Demo Repo

Mathias Conradt — Mon, 23 Feb 2026 13:29:00 +0000

This application is an intentional vulnerable Java Spring-Boot application with Thymeleaf. It is use for training purposes only!

Run the application

Go to the root folder of the application and run using Maven

mvn spring-boot:run

The application fills itself with data at startup wait until you see READY in the console.

You can access the application on http://localhost:8081

By default there are two users configured you can access

Username        Password        User type
Admin           admin           ADMIN
User            user            CUSTOMER

DAST Scan with StackHawk

Run a DAST scan with StackHawk, producing a stackhawk.sarif file as output. This can later be ingested into SonarQube.

export SARIF_ARTIFACT=true
hawk scan

Adding the stackhawk.sarif to the Sonar Scan via -Dsonar.sarifReportPaths=stackhawk.sarif parameter:

# Get the current branch name directly using command substitution
CURRENT_BRANCH=$(git branch --show-current)

# Check if the command was successful and a branch name was found
if [ -z "$CURRENT_BRANCH" ]; then
    echo "Error: Could not determine the current Git branch."
    exit 1
fi

mvn clean verify sonar:sonar \
  -Dsonar.projectKey=e-corp-demo_sonarqube-stackhawk-dast-demo_31dfab10-94aa-4a9b-a894-77cabdab902a \
  -Dsonar.projectName='sonarqube-stackhawk-dast-demo' \
  -Dsonar.host.url=https://mathiasconradt.ngrok.io \
  -Dsonar.sarifReportPaths=stackhawk.sarif \
  -Dsonar.branch.name=$CURRENT_BRANCH

The DAST findings from StackHawk appear under the issues, tagged with STACKHAWK.

Questions & Contact

Mathias Conradt
Security Solutions Engineer at Sonar
https://www.linkedin.com/in/mathiasconradt/
https://x.com/mathiasconradt

SonarQube: SCA Scanning of Unmanaged Dependencies in Java Projects with Syft and SBOM Import

Mathias Conradt — Mon, 23 Feb 2026 12:59:00 +0000

Sonar currently does not support SCA for unmanaged dependencies (jars) in Java projects. However, you can generate a Software Bill of Materials (SBOM) using tools like Syft and then analyze it with SonarQube.

This demo repo shows how to generate an SBOM for a Java project using Syft, and then scan it with SonarQube to identify vulnerabilities.

Take note of the unmanaged dependencies in folder libs as an example:

Installation & Usage

Install Syft to generate the SBOM:

brew install syft
syft scan ./libs -o cyclonedx-json=java-unmanaged-jars-demo.cdx.json

Example is using brew on macOS, but you can find installation instructions for other platforms in the Syft Documentation.

Then adjust the sonar-project.properties file to include the generated SBOM:

sonar.exclusions=**/*
sonar.sca.sbomImportPaths=java-unmanaged-jars-demo.cdx.json
sonar.inclusions=java-unmanaged-jars-demo.cdx.json

Then scanning via sonar-scanner:

sonar-scanner \
  -Dsonar.projectKey=e-corp-demo_java-unmanaged-jars-demo_5d05ab5f-6ffa-487c-9977-c60e2b52d831 \
  -Dsonar.sources=. \
  -Dsonar.host.url=${SONARQUBE_URL} \
  -Dsonar.token=${SONARQUBE_TOKEN} \
  -Dsonar.verbose=true

Afterwards, you can view the vulnerabilities detected in the SonarQube dashboard.

Questions & Contact

Mathias Conradt
Security Solutions Engineer at Sonar
https://www.linkedin.com/in/mathiasconradt/
https://x.com/mathiasconradt

SonarQube: SCA Scanning of Unmanaged Dependencies in C/C++ Projects with Syft and SBOM Import

Mathias Conradt — Mon, 23 Feb 2026 12:54:12 +0000

Sonar currently does not support SCA for unmanaged dependencies in C/C++ projects. However, you can generate a Software Bill of Materials (SBOM) using tools like Syft and then analyze it with SonarQube.

This demo repo shows how to generate an SBOM for a C++ project using Syft, and then scan it with SonarQube to identify vulnerabilities.

Take note of the unmanaged dependencies in folder deps as an example:

Installation & Usage

Install Syft to generate the SBOM:

brew install syft
syft dir:. -o cyclonedx-json --file cpp_goof.cdx.json --catalogers all

Example is using brew on macOS, but you can find installation instructions for other platforms in the Syft Documentation.

Then adjust the sonar-project.properties file to include the generated SBOM:

sonar.exclusions=**/*
sonar.sca.sbomImportPaths=cpp_goof.cdx.json
sonar.inclusions=cpp_goof.cdx.json

Then scanning via sonar-scanner:

sonar-scanner \
  -Dsonar.projectKey=e-corp-demo_cpp-goof_f56168d1-a2e5-4d19-b432-4a8681a5301a \
  -Dsonar.sources=. \
  -Dsonar.host.url=${SONARQUBE_URL} \
  -Dsonar.token=${SONARQUBE_TOKEN} \
  -Dsonar.verbose=true

Afterwards, you can view the vulnerabilities detected in the SonarQube dashboard.

Questions & Contact

Mathias Conradt
Security Solutions Engineer at Sonar
https://www.linkedin.com/in/mathiasconradt/
https://x.com/mathiasconradt