Combining SonarQube and Azure DevOps

Code analysis is a best practice in a operating continuous integration pipeline. SonarQube can be used in combination with Azure DevOps. If you do not know SonarQube, it is tool that centralizes static code analysis and unit test coverage. It can be used across multiple languages and for a single project up to enterprise scale.

SonarQube can be used as a SaaS product or hosted on your own instance. SonarQube describes the product as followed:

SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality systematically.

This sound interesting and when useful for your situation it should be placed within a continuous integration pipeline, but how do we get started.

SonarQube Deployment

To get started with SonarQube I used the installation on an Azure App Service created by a premium field engineer from Microsoft. The blog post below contains an ARM template that really makes it a single click install.

What you might wonder is what the reason was why I used the Azure App Service deployment:

  • No license needed
  • You do not have to create and manage a Virtual Machine.
  • Setting up SSL is easier.
  • You can easily integrate other Azure services like the Azure Key Vault.
  • Other features of the Azure App Service could be used like deployment slots.

Note: When using the “Deploy to Azure” button and you are using a resource group naming policy you temporary disable it. The “Deploy to Azure” method uses a test that creates a resource group with a GUID to validate the template.

Deploying the resource will not take long. Starting SonarQube is totally different depending on the hosting platform it can take up to 15 minutes.

sonarqube starting

When the tooling is started login with the admin credentials (admin/admin). Make sure you change them after your first login.

SonarQube Configuration

For sending information to SonarQube a token is needed. To generate a token, click on your name in the top right corner and select “My Account”.

sonarqube settings

On the “My Account” screen select “Security”.

tokens

Fill in a name for the token and click on generate. Copy the token for later use. The next step is to create a new project within SonarQube. The project will be the centralized storage for your analytics information of the code. To create a new project, click on the “+” sign next to your name.

Fill in the appropriate information and select the main language of your project.

analyse project

The project is now ready, and we can start to configure Azure DevOps to send the analysis information to your SonarQube environment.

Azure DevOps Extension

To make use of SonarQube within Azure DevOps an extension needs to be installed. Here you can find the links to the extensions for SonarQube:

Build Pipeline

In your Azure DevOps project create a new pipeline or open a pipeline that you want to extend. Press the button to add a new task and search for Sonar you will see the following available tasks. The three-task selected are for the hosted version of SonarQube.

sonarqube extensions

We will start with the “Prepare Analysis Configuration” then the “Run Code Analysis” and then the “Publish Quality Gate Result”.

Prepare Analysis Configuration

The “Prepare Analysis Configuration” is the most important task. With this task you configure the agent job to work correctly with SonarQube.

prepare

To establish the connection the tasks needs a SonarQube service endpoint. To create a new service endpoint for SonarQube you can click on the “New” button. In the configuration window for this endpoint fill in the correct information.

sonarqube service connection

In the task itself fill in the key of the project and the name. The task is now configured this means the other tasks can be added to the pipeline. The other task itself do not have any additional configuration.

run code analysis

If you want to include test result you need to make sure to add the “Run Code Analysis” task after the “Test Assemblies” task like the screenshot above.

sonarqube results

In the upcoming days and weeks, I will check more functionality and will share more information on this blog.

18 Replies to “Combining SonarQube and Azure DevOps”

  1. can you explain me how i can force the analysis on a test project in C#. I’ve one solution with 2 projects and one of them is consider as a test project, so Sonar don’t analysis it and I want to force the analysis on this project

    Thanks

  2. Hello, I have configured Sonarqube to analyse my project, and then I want to know the coverage of unit tests, but I can’t complete these process of uploading the coverage file to sonarqube server.

    Do you find any way to do this? Have you tried it?

    Thank you in advance, regards

  3. We have successfully implemented SonarQube analysis for the majority of our projects. Only the one that needs VS2015 for the build process does not work properly. Everything seems to be fine, but when you dig into the log of the analysis step then it says: 0 files indexed. and nothing is showing up in SQ.

    INFO: Indexing files of module ‘Model4x’
    INFO: Base dir: D:\a\1\s\Source\Server Side Logic\Model4x
    INFO: Source paths: Action.cs, ActionsDeletedMoved.cs, ActionTypes.cs, ActiveUser…
    INFO: Excluded sources for coverage: **/*.js
    INFO: Indexing files of module ‘Core’
    INFO: Base dir: D:\a\1\s\Source\Server Side Logic\Core
    INFO: Source paths: Data/EntityFramework/Dynamic.cs, Data/EntityFramework/EntityF…
    INFO: Excluded sources for coverage: **/*.js
    INFO: Indexing files of module ‘Infrastructure’
    INFO: Base dir: D:\a\1\s\Source\Server Side Logic\Infrastructure
    INFO: Source paths: Attributes/ResourceAttribute.cs, Entities/Actions/DeleteActio…
    INFO: Excluded sources for coverage: **/*.js
    INFO: Indexing files of module ‘connext’
    INFO: Base dir: D:\a\1\s
    INFO: Excluded sources for coverage: **/*.js
    INFO: 0 files indexed
    INFO: 0 files ignored because of scm ignore settings

    I have been trying to find differences between this project’s pipeline/SQ-setup and the others, but the only thing I found is the Visual Studio version and the corresponding Azure host machine.

  4. Do you have any article about implementing SonarQube in an CI azure devops pipeline for a .NET Core project?

  5. hello, when I want to replicate your steps I get this error “## [error] [SQ] API GET ‘/ api / server / version’ failed, the error was: {” code “:” UNABLE_TO_VERIFY_LEAF_SIGNATURE “}”, in step Prepare the analysis in SonarQube. Can you help me? Thank you

  6. Hi Maik,
    thanks for the nice article !
    I have 2 questions concerning ABAP language checks :
    1. On top of existing rules, can we add any additional standard rules ?
    2.Can we add custom rules which are more company specific code of standards, like naming convention checks , comments etc ?

    Thanks
    Prasanth P

  7. Hi Maik,
    Thanks for the detailed article !

    Can we get analysis for PR branches ? I can see currently PR branch showing status green although developement branch where it is merging is red – in failed state.

  8. Hi Maik,

    Is it possible to restrict 80/443 access just for Azure DevOps? I’m not a fan of allowing traffic from unknown ip ranges. I couldn’t find the ranges that my Azure DevOps agents use, it looks like that Azure needs to update its documentation..

    Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.