Skip to main content

SonarQube

SonarQube

Official Documentation

SonarQube is a code analysis tool that helps detect coding issues across multiple programming languages. It is widely used in pipeline stages to ensure high code quality, including maintainability, reliability, security issues, and more.

It can be integrated with various tools such as GitHub Actions, GitLab, Bitbucket, Jenkins, and others.

The idea is to create a quality standard that code must meet before being merged, trying to respect clean code principles. SonarQube classifies code through metrics, but we can also add custom rules.

We can use SonarQube in pull request automation to save reviewers' time by rejecting code that doesn't meet quality standards and optimizing the team's workflow.

Additionally, SonarQube provides code improvement suggestions and first-stage static application security analysis.

There is a plugin called SonarLint that can be integrated with your IDE to help provide real-time feedback on code quality before going through SonarQube analysis. We can use this tool to avoid running a pipeline only to discover later that the code isn't as good as it should be.

For VS Code, we have the SonarLint extension. Java Runtime version 17 is required.

There are 4 different versions, with only the Community edition being free.

Even if you deploy the tool on your own infrastructure, it doesn't exempt you from paying for licenses for other versions.

We also have SonarQube Cloud free if you don't want to deploy on your infrastructure.

Cloud vs Self-Hosted​

  • Advantages of SonarCloud Free

    • Easy Setup
    • Automatic Updates
    • Scalability
    • Integration with repositories like GitHub, GitLab, Bitbucket, and Azure DevOps, which facilitates CI/CD pipeline configuration.

  • Advantages of Using Your Own Infrastructure with SonarQube

    • Full Control: When you host SonarQube on your own infrastructure, you have complete control over configuration, security, access, and customization. This is crucial for companies with specific compliance and security requirements.
    • Data Privacy and Security
    • Integration with Internal Tools: It may be easier to integrate SonarQube with other internal company tools and systems, such as corporate authentication systems (LDAP/AD), internal dashboards, and monitoring tools.
    • Support for Custom Installations: If you need advanced configurations or specific features available only in paid SonarQube editions (Developer, Enterprise, Data Center), deploying on your own infrastructure may be more suitable.
    • Customization and Extensibility: SonarQube allows you to develop custom plugins or use third-party plugins to extend its functionality. This may be limited in SonarCloud.
    • Requirements: 2 cores and 4GB of RAM in smaller environments with 30GB of free disk space. Larger environments: 8 cores and 16GB of RAM. Java 17 runtime required, either JRE or OpenJDK. The use of SSDs is highly recommended; conversely, using network-mounted disks will significantly worsen performance.

If the tool is not adopted by the company and you still want to use it, you can run it on your machine for personal development improvement using containers. This way, we avoid having to install the necessary requirements and can spin it up and destroy it anytime using the Community license.

This practice is also interesting for pipeline setups by spinning up a container, analyzing code, and destroying it immediately afterward.