SonarQube Scanning

How to trigger a SonarQube Analysis from Codefresh

SonarQube is a popular platform for Code Quality. It can be used for static and dynamic analysis of a codebase and can detect common code issues such as bugs and vulnerabilities.

SonarQube logo

There are many ways to perform an analysis with SonarQube but the easiest one would be to use the one that matches the build system of your application.

This section shows how to use the SonarQube plugin on Codefresh from the plugin directory. Once set-up your code will automatically be analysed everytime your pipeline runs.

Prerequisites for SonarQube integration

Before starting an analysis, you need to make sure that:

Getting a security token from SonarQube

To use the SonarQube plugin, you will need to provide your login credentials in your Codefresh Pipeline or you generate a security token. We recommend the latter. You can either create a new one or reuse an existing one. Security wise it is best if each project has its own token.

Login into SonarQube with your account and navigate to USER -> MY ACCOUNT, which is on the top right corner of your profile. Next, select the Security tap and generate the security token. Save the token somewhere where you will be able to access it again easily.

SonarQube generate token

Setting up your sonar-project.properties file

Not all environment variables are currently automatically defined in the SonarScanner. Thus, we have to set-up a sonar-project.properties file in our root directry.

Please create the file and add the following values

# must be unique in a given SonarQube instance
sonar.projectKey=a unique project key
 
# organization name
sonar.organization=your organisation name

The file is needed to run the SonarQube plugin.

Running an analysis from the Codefresh Plugin

If you are using the predefined Codefresh pipeline you just need to look-up SonarQube under STEPS and you will find the custom plugin.

SonarQube analysis for predefined Codefresh steps

  • Select the sonar-scanner-cli
  • Copy and past the step to your pipeline

Please customise the values within the step as follows:

  • SONAR_HOST_URL: 'https://sonarcloud.io/' # this is the URL to SonarCloud, if applicable, please replace it with the Server URL
  • SONAR_LOGIN: username or access token (generated above)
  • SONAR_PASSWORD: password if username is used
  • SONAR_PROJECT_BASE_DIR: set working directory for analysis
  • SONAR_SCANNER_CLI_VERSION: latest

Here is our example step:

 sonarqube:
    type: "sonar-scanner-cli"
    stage: "push"
    arguments:
      SONAR_HOST_URL: 'https://sonarcloud.io/' # replace with your host url
      SONAR_LOGIN: "insert access token" # replace with your access token
      SONAR_PROJECT_BASE_DIR: "/codefresh/volume/sonarqube-example" #r eplace with your working directory
      SONAR_SCANNER_CLI_VERSION: "latest"

Once the values are specified, save and run your pipeline.

Viewing the SonarQube analysis

Once the Codefresh build is started you can check the logs and monitor the analysis progress.

SonarQube analysis

Once the analysis is complete you can visit the SonarQube dashboard and see the recent analysis of the project.

SonarQube project

Then you can drill down and view the various statistics.

SonarQube Analysis details