Integrating SonarQube With Azure DevOps Pipeline
4 min readJan 26, 2025
Keeping a clean code is not just part of best practices but also promotes maintainability, security and reliability of a code. these can be achieved by integrating static code analysis using SonarQube.
In this article we will learn how to integrate SonarQube into an azure devops pipeline, collect source code, analyze it and provide the scan result in the SonarQube dashboard.
Prerequisite
- Prepare a virtual machine
- Install docker on the machine
- pull and run sonarQube image
- create an azure devops server
Steps
1 — Running a sonarQube as a container using docker
- visit the sonarqube page on docker hub to view detailed instructions, we’ll go with the simplest one, feel free to add volumes for persistency of data
docker run -d --name sonarqube -p 9000:9000 sonarqube:community- validate to confirm, sonarQube is running on the browser
- default password and username is admin for both, you will be asked to change it, when you done with that click save
2 — AZure DevOps setup
- import your source code to azure devops repository
- click on your profile picture, to get the personal access token option, and create a PAT
- copy it somewhere safe
- we will be back to complete azure devop setup
- do not expose your token, the token used here has been deleted
3 — Setup your DevOps platform configuration
- Now we are to SonarQube dashboard
- choose the repository where your code is stored, in this case we are choosing azure devops
- this assumes your code is setup in an azure devops repository, add your organization url and you will automatically see all the projects you have in that organization
- choose you the project your intend to integrate sonar scan with and import it
- choose your continous integration tool, which is azure devops here
- instructions will be provided, just follow the instructions
4 — Configure Service connection on Azure Devops
- go to azure devops extension, search and install sonarQube by sonarsource
- goto settings, select service connection and choose sonarqube
- enter a name for the service connection
- enter your sonarqube server url or endpoint
- enter the token generated on the sonar server
- and click save
5 — Add Sonarqube code to your pipeline
- Go to the sonarQube page to find the code for your app
- in this case, I am working on a netflix app built with Javascript
- so here is the code
steps:
# Checkout the repository
- checkout: self
# Disable shallow fetch
fetchDepth: 0
# Prepare Analysis Configuration task
- task: SonarQubePrepare@7
inputs:
SonarQube: '<YourSonarqubeServerEndpoint>'
scannerMode: 'cli'
configMode: 'manual'
cliProjectKey: '<YourProjectKey>'
# Add your build task(s) here
# Run Code Analysis task
- task: SonarQubeAnalyze@7
inputs:
jdkversion: 'JAVA_HOME_17_X64'
# Publish Quality Gate Result task
- task: SonarQubePublish@7
inputs:
pollingTimeoutSec: '300'- fill all the necessary space and run the pipeline
- replace the project key in the code with the code generated on the sonar server
6 — Additionally, create a quality gate
Quality gate is used to define the metrics and standards your application needs to conform to, before considered a clean code.
here are some of the metrics:
- Code Coverage measures the percentage of your code that is tested by unit tests. configure to aim for at least 80% coverage for critical projects. Lower for less critical code.
- duplicated Lines (%) the percentage of code that is duplicated across files or functions
- Reliability Rating measures how reliable the code is based on issues like bugs.
- Security Hotspots identifies potential security vulnerabilities
- Test Success Ratio is the ratio of passing tests to total tests, ensure a 100% success rate in automated tests, aiming for zero test failures in production.
- Vulnerabilities measures the number of security vulnerabilities within the codebase
- Code Smells measures the number of issues that indicate poor coding practices but don’t necessarily impact functionality.
- Run your pipeline
- check result on the sonarqube server
