SonarQube Scanning

How to trigger a SonarQube Analysis from Codefresh

SonarQube is a popular platform for Code Quality. It can be used for static and dynamic analysis of a codebase and can detect common code issues such as bugs and vulnerabilities.

SonarQube logo

There are many ways to perform an analysis with SonarQube but the easiest one would be to use the one that matches the build system of your application.

This section shows how to use the SonarQube plugin on Codefresh from the plugin directory. Once set-up your code will automatically be analysed everytime your pipeline runs.

Prerequisites for SonarQube integration

Before starting an analysis, you need to make sure that:

Getting a security token from SonarQube

To use the SonarQube plugin, you will need to provide your login credentials in your Codefresh Pipeline or you generate a security token. We recommend the latter. You can either create a new one or reuse an existing one. Security wise it is best if each project has its own token.

Login into SonarQube with your account and navigate to USER -> MY ACCOUNT, which is on the top right corner of your profile. Next, select the Security tap and generate the security token. Save the token somewhere where you will be able to access it again easily.

SonarQube generate token

Setting up your file

Not all environment variables are currently automatically defined in the SonarScanner. Thus, we have to set-up a file in our root directry.

Please create the file and add the following values

# must be unique in a given SonarQube instance
sonar.projectKey=a unique project key
# project name
sonar.projectName=your project's name

The file is needed to run the SonarQube plugin.

Language-specific Settings

Please note that projects using some languages may require additional configuration. For information on what may be needed for your language, refer to the appropriate language page in the Sonarqube documentation

Running an analysis from the Codefresh Plugin

If you are using the predefined Codefresh pipeline you just need to look-up SonarQube under STEPS and you will find the custom plugin.

SonarQube analysis for predefined Codefresh steps

  • Select the sonar-scanner-cli
  • Copy and past the step to your pipeline

Please customise the values within the step as follows:

  • SONAR_HOST_URL: '' # this is the URL to SonarCloud, if applicable, please replace it with the Server URL
  • SONAR_LOGIN: username or access token (generated above)
  • SONAR_PASSWORD: password if username is used
  • SONAR_PROJECT_BASE_DIR: set working directory for analysis

Here is our example step:

    type: "sonar-scanner-cli"
    stage: "push"
      SONAR_HOST_URL: '' # replace with your host url
      SONAR_LOGIN: "insert access token" # replace with your access token
      SONAR_PROJECT_BASE_DIR: "/codefresh/volume/sonarqube-example" #r eplace with your working directory

Once the values are specified, save and run your pipeline.

Viewing the SonarQube analysis

Once the Codefresh build is started you can check the logs and monitor the analysis progress.

SonarQube analysis

Once the analysis is complete you can visit the SonarQube dashboard and see the recent analysis of the project.

SonarQube project

Then you can drill down and view the various statistics.

SonarQube Analysis details