SonarQube is a free, open-source platform for automated code reviews and static code analysis. It can be used to:
- Find bugs
- Code smells
- Vulnerabilities in security
- Concentrate on quality
Integrating SonarQube with Azure DevOps lets you keep your Azure DevOps repositories secure and of high code quality.
Both Azure DevOps Server and Azure DevOps Services are compatible with it.
With the aid of this integration, you can:
- To quickly build up SonarQube projects, import your Azure DevOps repositories into SonarQube.
- Use Azure Pipelines to analyze projects and incorporate analysis into your build process.
- To determine whether it is safe to integrate your changes, view the results of your Quality Gate and code metrics directly in Azure DevOps.
The first step is to launch a Windows virtual computer.
Then, install SonarQube on the computer in step two.
We have two choices here:
- Either way, we can set up SonarQube on our personal computers.
- Or you might use the sonar cloud public SonarQube hosted solution.
We will be using the first one.
Click the link for downloading the zip file for SonarQube Community Edition.
After downloading and extracting the file, open the StartSonar.bat file in the directory listed below.
After completing the previous step, access the dashboard by typing http://localhost:9000 into your browser.
For the Azure DevOps agent to connect to our virtual machine and access port 9000, which is open by default, we must now open this port. By enabling this port, you will have access to the SonarQube dashboard using the public IP of the computer on which SonarQube was set up.
Some steps to open the port in the machine-
Click on “Networking,” Choose “Inbound Rule,” “Add Inbound Rule,” and then “Fill in the Details.” You should be competent to access the dashboard in your browser by typing HTTP: public IP of the machine>:9000 into your address bar.
Everything is set at this point. The construction of our CI pipeline can begin.
Visit your Azure DevOps project and accept a blank job.
The following phase will involve adding SonarQube tasks to the pipeline.
Here we have used the Maven POM.xml file in Azure Repos as source code. Take your own, then go with that. Alternatively, you can use.NET C# code. In that situation, the pipeline configuration will be somewhat altered, as I will explain in subsequent sections.
Let’s begin constructing the CI pipeline.
Add Prepare analysis as a task in the pipeline for SonarQube.
Before beginning the construction, this step configures the necessary settings. It functions as a sort of pipeline initialization for SonarQube.
Server endpoint for SonarQube:
You must establish a service connection between SonarQube and the Azure DevOps agent. You must send the authentication token and server URL (http://public IP of virtual machine>:9000).
(In the SonarQube dashboard, select My Account > Security > Generate Tokens)
We must add a firewall rule to the network of our Azure VM so that port 9000 can be used. The configuration of your infrastructure and network will affect this stage. However, the basic idea should not change. This step may alter if you are installing SonarQube on an on-premises server; however, if a firewall protects the server, you will need to open a port for SonarQube in the firewall. Now, depending once more on your network configuration, we can try visiting the SonarQube via the private IP address or the public IP address of the VM.
- Decide how to do the analysis:
- “Integrate using Maven or Gradle” is the course we chose.
- You can select the “Integrate with MS Build” option if you have a C# code.
- Leave the remaining fields set to default.
- Streamline the Maven POM.xml task.
- Again, we have utilized this job because my code is in a POM.xml file. The assignment you choose will rely on your coding.
The following information must be provided for this task:
Maven offers a built-in distribution and deployment process for the target project. Each phase consists of a series of goals, each in charge of a different duty.
We used the goal “test.”
In the Azure DevOps pipeline, add SonarQube code scanning.
It’s straightforward to incorporate SonarQube code quality and security scanning for your codebase thanks to the SonarQube azure DevOps marketplace extension.
Integrating SonarQube with Azure DevOps Server allows you to keep your Azure DevOps Server repositories secure and of high code quality. The above steps will provide you with aid when integrating SonarQube with Azure DevOps.