SonarQube is a powerful open-source tool that helps you maintain code quality and security by analyzing your codebase for bugs and vulnerabilities. And it can play a major role when integrated into your CI/CD pipeline.
In this tutorial, we will cover:
-
What is SonarQube?
-
How SonarQube Improves Code Quality
-
Step-by-step Installation and Configuration
-
How to Run Your First Code Analysis
What is SonarQube?
SonarQube is an open-source tool that checks for code quality continuously. It analyzes code to find issues like duplication, bad practices, test coverage gaps, bugs, and vulnerabilities, giving detailed reports. It works with many programming languages like Java, C#, JavaScript, Python, TypeScript, and Kotlin.
You can add SonarQube to your CI/CD pipelines, IDEs, and version control systems like GitHub, GitLab, or Bitbucket. It provides detailed dashboards that show metrics, trends, and issues in your code.
You can use custom rules to enforce coding standards and reduce technical debt. SonarQube also supports code coverage analysis to help teams improve their tests. With the Quality Gate feature, teams can ensure only clean, maintainable code goes into production.
SonarQube offers both free and paid versions to suit any team size. Overall, it helps improve software quality and encourages good coding practices.
How Does SonarQube Improve Code Quality?
Here’s how SonarQube helps improve code quality:
-
Early bug detection: Identifies bugs before they reach production
-
Improved maintainability: Highlights code and design issues
-
Security insights: Identifies vulnerabilities and security risks
-
Code coverage: Integration with testing tools to monitor unit test coverage
-
Customizable rules: Allows teams to set coding standards and policies
-
Team collaboration: Ensures consistent code quality across development teams
Step-by-Step Installation and Configuration
Prerequisites:
Here are the prerequisites that you will need before installing SonarQube
-
Java Runtime Environment(JRE): Java 11 or above installed in your system.
-
System Requirements: 2GB RAM minimum (Recommended: 4GB+).
-
MacOS: You can use HomeBrew, which is the package manager for MacOS that simplifies the installation of software.
Below are the steps to install SonarQube in your local machine:
Download SonarQube
Download the software from sonarsource downloads and choose the Community Edition for open-source projects.
Extract and Configure
To install SonarQube, you need to run the below command to unzip the file:
unzip sonarqube-<version>.zip
cd sonarqube-<version>/bin/<your-OS-folder>
Start SonarQube
On Linux/Mac, you need to run the below command:
./sonar.sh start
On Windows, you need to run this one:
StartSonar.bat
Access SonarQube
To access SonarQube, you need to open browser and go to: http://localhost:9000
Enter the default credentials:
-
Username:
admin -
Password:
admin(you’ll be prompted to change it)
The page will look similar to below:
Set Up SonarQube in Your Project
To set up SonarQube in your project, start by opening the Java project on your machine. In the project root, create a sonar-project.properties file.
Add the below key value pairs in the file:
sonar.projectKey=spring-myproject
sonar.projectName=My Project
sonar.projectVersion=1.0
sonar.sources=.
sonar.host.url=http://localhost:9000
How to Run Your First Code Analysis
Configure and Run SonarScanner
SonarScanner is the tool that actually sends your code to SonarQube for analysis. Below are the detailed steps to follow to use it:
Install SonarScanner:
On Windows/Linux, download the software from SonarSource and unzip it:
unzip sonar-scanner-cli-<version>.zip
On MacOS, run the below command:
>brew install sonar-scanner
For both Windows/Linux and MacOS, verify the install by running the below command:
>sonar-scanner -v
Configure SonarScanner
After installing SonarScanner, you’ll need to configure it by setting the SonarQube server URL and authentication token. Then go to your SonarQube profile (top-right corner > My Account > Security) and generate a token.
Provide a name for the token and click ‘Generate’:
In the sonar-project.properties file in your project, add ‘sonar.login’ property and save.
sonar.projectKey=test-project
sonar.projectName=Test Project
sonar.host.url=http://localhost:9000
sonar.login=<YOUR_TOKEN_HERE>
Run the Analysis
Once the SonarScanner is configured, you can start scanning your project.
In a terminal or command prompt, go to the root of your project (where sonar-project.properties is located).
Run the following command:
>sonar-scanner
SonarScanner will analyze your code and push the results to your local SonarQube server. Visit http://localhost:9000, and you’ll see your project listed on the dashboard.
To view the analysis report, go to http://localhost:9000/dashboard?id=java-sonar-demo:
If you go to the ‘Issues’ tab at top left corner, you can view different categories of Software Quality, Severity of the Issues, and various other attributes in your code.
Conclusion
Now you have installed and configured SonarQube and learned how to scan your code using SonarScanner. You can easily configure it in your projects for continuous code quality analysis.
This is a fantastic tool for keeping your code base clean and maintainable. As the next steps, you can consider adding test coverage reports, enforcing quality gates in your pipeline, and exploring SonarCloud for cloud-based analysis.
##
Source: freeCodeCamp Programming Tutorials: Python, JavaScript, Git & MoreÂ