SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.
In a typical development process:
- Developers develop and merge code in an IDE (preferably using SonarLint to receive immediate feedback in the editor) and check-in their code to their DevOps Platform.
- An organization’s continuous integration (CI) tool checks out, builds, and runs unit tests, and an integrated SonarQube scanner analyzes the results.
- The scanner posts the results to the SonarQube server which provides feedback to developers through the SonarQube interface, email, in-IDE notifications (through SonarLint), and decoration on the pull or merge requests
Setting Up Analysis
Analyzing your code starts with installing and configuring a SonarQube scanner. The scanner can either run on your build or as part of your continuous integration (CI) pipeline performing a scan whenever your build process is triggered.
Starting in Developer Edition, you can analyze your branches in SonarQube, and ensure that your code quality is consistent all the way down to the branch level in your projects.
Analyzing Pull Requests
Starting in Developer Edition, you can integrate SonarQube to be part of your pull or merge request process. Issuing a pull request can trigger a branch analysis and add pull request decoration to see your branch analysis directly in your DevOps Platforms’s interface in addition to the SonarQube interface.
Tools for Writing Clean and Safe Code
SonarQube gives you the tools you need to write clean and safe code:
- SonarLint – SonarLint is a companion product that works in your editor giving immediate feedback so you can catch and fix issues before they get to the repository.
- Quality Gate – The Quality Gate lets you know if your project is ready for production.
- Clean as You Code – Clean as You Code is an approach to code quality that eliminates a lot of the challenges that come with traditional approaches. As a developer, you focus on maintaining high standards and taking responsibility specifically in the New Code you’re working on.
- Issues – SonarQube raises issues whenever a piece of your code breaks a coding rule, whether it’s an error that will break your code (bug), a point in your code open to attack (vulnerability), or a maintainability issue (code smell).
- Security Hotspots – SonarQube highlights security-sensitive pieces of code that need to be reviewed. Upon review, you’ll either find there is no threat or you need to apply a fix to secure the code.
Administering a Project
If you have the Create Projects permission (a global administrator can set permissions at Administration > Security > Global Permissions), you can create and administer projects.
A project is automatically added to the first analysis. However, you can provision projects (set up permissions, Quality Profiles, etc.) before running the first analysis.
You also want to make sure SonarQube’s results are relevant. To do this you need to Narrow the Focus or configure what to analyze for each project.
You can also set up Webhooks to notify external services when a project analysis is complete.
Administering an Instance
If you’re a global administrator, you can set up authentication, administrator access, and authorization.
You can also set up email notifications that developers can subscribe to that are sent at the end of each analysis.
When you run new analyses on your projects, some data is cleaned out of the database to save space and improve performance. This is known as Housekeeping. It will provide you with information on what data is cleaned and one can change the respective settings as well.