SonarQube
- Open-source code Analysis tool, sonarqube.org
- Helps you to see your projects technical debt
- Detect bugs, vulnerabilities, code smells, coverage…
SonarQube & Azure Repos
- See labs
- Steps:
- (If you don’t have SonarQube) Create VM with container & SonarQube image
- Ensure port 8080 is open on VM/container to be able to comunicate with Azure DevOps
1. Create a project in SonarQube
- It’ll give you authentication token you’ll need (you can also use an existing token)
- Also gives you scripts to run for different languages/frameworks
- You’ll use name of this project in service connection.
- You create service connection for SonarQube.
- You can use token from SonarQube project or generate a new token in security section of SonarQube
- In organization settings add SonarQube extension
- Gives you tasks to execute in following order:
- Prepare Analysis Configuration
- Before executing the build
- Run Code Analysis
- Not required for Maven or Gradle projects, because scanner will be run as part of the Maven/Gradle build.
- Publish Quality Gate Result
- Optional to display the Quality Gate status in the build summary
- You can analyze results in SonarQube server
- Set-up a pull-request integration:
- Create a Personal Access Token in Azure DevOps.
- Configure SonarCloud to analyze pull requests
- In Pull Requests tab set provider to Azure DevOps Services
- Configure the branch policy for the project in Azure DevOps
- Set SonarQube pipeline as build definition.
- Block pull requests if the Code Quality check failed
- Branch Policy => Add status policy => SonarCloud/quality gate and mark requirement as Required
- Tasks to run:
- Prepare Analysis Configuration
- Run Code Analysis (not required)