Check websites for security and performance issues with Sonar
Microsoft's Edge development team launched a new open source website scanner called Sonar yesterday which tests websites for security and performance issues.
Sonar is available as a web tool and command line tool; the web version of Sonar is easier to use though, as it requires just an URL to get started with the scan.
Initial scans were delayed quite a bit, likely because Sonar has been covered by news sites on launch day. New scan requests are added to Sonar's processing queue. The service displays a permalink for the scan though which you can bookmark or keep open to open it at a later point in time.
Options to receive notifications when scans complete are not available though, and the page does not refresh automatically; so, reload frequently to get the tests results.
Sonar displays an overview of the scan at the top. It lists the total number of warnings and errors, as well as the scan time at the top. Below that a listing of warnings and errors sorted into groups such as accessibility, performance, security or interoperability.
You can click on any of those to jump to the details of that section. Sonar lists the issues that it found, e.g. no-protocol-relative-urls or meta-viewport, and the number of errors or warnings it found for each.
You need to click on the "open details" button next to an issue for details on the findings. This includes an error description, and the page element the error was detected on.
This may be enough to fix the issue right away, but you can click on the paper sheet icon as well to open information on that particular issue to find out more about it.
Sonar may highlight security issues, for instance when it detects libraries that are loaded that have known vulnerabilities. This is extremely useful but limited to what Sonar is configured to detect. You should not rely solely on the service when it comes to security, but it may assists you in your assessment.
Closing Words
Sonar is a service that is mostly useful for webmasters and administrators. While end users may use Sonar to scan their favorite websites, there is little that is gained from that.
Can’t scan https sites as Sonar adds http to every url.
I did scan Ghacks, and it is https. Did you add the protocol in front of the address?
Wow, Ghacks seems to have several problems according to Sonar. Do you plan fixing it?
New theme coming :)
Nice!
Microsoft’s Sonar has a long way to go before it is a good as Google’s VirusTotal https://www.virustotal.com/en/
If you click on each “Open Details” you create a total report for what it found, which you can then print or save. The service plans to improve what it does in the future, so I will stay tuned….