Fix issue #161 (#162) - clarify that developer edition sonarqube is only needed for security code analysis

Author: iw-ezequiel

quality-checks.md

@@ -45,7 +45,7 @@ We recommend tracking progress on an Engineering Quality dashboard, for example:
 | API / contract tests   | Functionality   | Contextual    | Check whether the API interface adheres to the agreed contract                                                                                                                                                  | Any API interface is an integration point with another component or a software systems. An extra care has to be taken to ensure compatibility and stability of that integration are maintained so that we don't break applications that depend on our APIs | Builds fail if any tests fail                                                                                                                                            | Postman                                                                       | [Automate Your API Tests with Postman](https://www.postman.com/use-cases/api-testing-automation/)             |
 | UI tests               | Functionality   | Contextual    | Check that the user interface components behave as expected, particularly checking the visual elements to verify that they are functioning according to requirements                                                                                                                                                                                                                | As the only aspects of software that end users come into contact with, it is essential that these elements behave as expected and allow users to get only what they need from our software applications                                                                                                                                                                                                                                                           | Builds fail if any tests fail                                                                                                                                            |                                                                               |                                                                                                               |
 | <a name="secret-scanning"></a> Secret scanning        | Security        | Universal     | Check for secrets (e.g. passwords, IP addresses, etc) accidentally included in software code                                                                                                                    | This protects us against accidentally leaking secrets (in source code) which could compromise the security of the application                                                                                                                              | Review the list of patterns and update it as necessary<br/><br/>... then:<br/><br/>Full repository (including history) scan, and all secrets removed<br/><br/>And:<br/><br/>Local (on developer laptop) scanning to block commits containing the patterns <br/><br/>And:<br/><br/>Server-side scanning within the code repository for new commits containing the patterns| <!-- markdown-link-check-disable -->[Security practices](/practices/security.md#secret-scanning)<!-- markdown-link-check-enable --> | |
-| Security code analysis | Security        | Universal     | Check for indications of possible security issues (for example injection weaknesses)                                                                                                                            | This gives fast feedback about security issues: it's not as thorough as security testing, but it's much quicker to execute, so both are important to achieve both rapid and thorough security testing | If using SonarQube, must use SonarQube's default [rules, profiles and gateways](tools/sonarqube.md#default-quality-gates) <br/><br/> Build pipeline must fail if gateway is not met | One option is [SonarQube](tools/sonarqube.md) (Developer Edition or higher - includes advanced OWASP scanning) |                                                                                                               |
+| Security code analysis | Security        | Universal     | Check for indications of possible security issues (for example injection weaknesses)                                                                                                                            | This gives fast feedback about security issues: it's not as thorough as security testing, but it's much quicker to execute, so both are important to achieve both rapid and thorough security testing | If using SonarQube, must use SonarQube's default [rules, profiles and gateways](tools/sonarqube.md#default-quality-gates) <br/><br/> Build pipeline must fail if gateway is not met | One option is [SonarQube](tools/sonarqube.md). For the purpose of security code analysis, Developer Edition or higher is required as it includes advanced OWASP scanning. |                                                                                                               |
 | Security testing       | Security        | Contextual    | Check for security issues (for example injection weaknesses)                                                                                                                                                    | More thorough than security code scanning, but much slower to execute, so both are important to achieve both rapid and thorough security testing |  | |                                                                                                               |
 | Dependency scanning    | Security        | Universal     | Check for security issues and vulnerabilities in dependent areas of code that are outside of our direct control                                                                                                                                                                                                                | Without this we have no way of knowing of any issues or security vulnerabilities of third party components that we are not responsible for                                                                                                                                                                                                                                                           |                                                                                                                                                                          |                                                                               |                                                                                                               |
 | Performance tests      | Resilience      | Contextual    | Check whether application performance is acceptable at different levels of load                                                                                                                                 | Without this test, we don't know how load will affect the performance of the application                                                                                                                                                                   |                                                                                                                                                                          |                                                                               |                                                                                                               |