Devops Tool Series: SonarQube
SonarQube is an open-source platform designed to inspect code quality and identify areas of improvement in terms of security vulnerabilities, code smells, and bugs.
It supports multiple programming languages and is widely used in software development to ensure that the codebase adheres to best practices and meets quality standards.
SonarQube provides static code analysis, which means it examines the source code without executing it, allowing developers to catch issues early in the development process.
QUALITY PROFILES AND QUALITY GATES:
QUALITY PROFILES are a core component of SonarQube where we define sets of Rules that when violated raise issues on your codebase.
SonarQube executes rules on source code to generate issues. There are four types of rules:
- Code Smell (Maintainability domain)
- Bug (Reliability domain)
- Vulnerability (Security domain)
- Security Hotspot (Security domain)
QUALITY GATES can be defined as a set of threshold measures set on your project. Few conditions that can be included are listed below
- Code Coverage > Certain Value
- Number of Blocker Issues > Certain Value
- Security Rating / Unit Test Pass Rate etc
INSTALL SONAR CUBE:
There are different ways to install, here I will install as docker container.
Command to install.
docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube
# The port 9000 is for sonar console.
To access the SonarQube dashboard:
http://<IP_OF_SERVER>:9000/
SonarQube Dashboard:
# Create Sonar Token for Jenkins.
Sonar Dashboard → Administration → My Account → Security → Create Token [Save].
Copy the generated token:
Provide any readable name and select type as “Global Analysis Token”
Integrate Sonar to Jenkins:
Sonar Dashboard → Administration → Configuration → Webhooks
Create a webhook:
