Configuring Sonarqube
SonarQube provides an overview of the overall health and quality of your source code and highlights issues that are found in new code. The code analyzers detect tricky bugs, such as null-pointer dereferences, logic errors, and resource leaks, for more than 20 coding languages.
Configure SonarQube to continuously analyze and measure the quality of your source code:
-
From the IBM Cloud console, click the menu icon
and select DevOps. On the Toolchains page, click the toolchain to open its Overview page. Alternatively, on your app's
Overview page, on the Continuous delivery card, click View toolchain. Then, click Overview.a. Click Add a Tool.
b. In the Tool Integrations section, click SonarQube.
-
Type a name for this instance of the SonarQube tool integration.
-
Type the URL for the SonarQube instance that you want to open when you click the SonarQube card from your toolchain.
-
Optional: Type the user name that you use to connect to the SonarQube server.
You need to specify a user name only if you use a password to connect to the SonarQube server. If you use an authentication token to connect, leave this field empty.
-
Type the password or authentication token that you use to connect to the SonarQube server.
-
If the server cannot be located on the public internet, select Advanced. IBM Cloud cannot validate the connection details that you provide and certain functions that require API access to this server are disabled. The delivery pipeline works only by using a private worker that has network access to this server.
-
Click Create Integration.
-
On your Toolchain's Overview page, on the Third-Party tools card, click SonarQube to view the dashboard for the SonarQube instance that you connected to.
Adding Sonarqube to the continuous integration pipeline
Default SonarQube instance
If you don't have your own SonarQube instance, the pipeline creates a SonarQube instance during the pipeline run. You can access this instance after the static-scan stage successfully runs.
Existing SonarQube instance
To add your own SonarQube instance to your existing pipeline, add the tool integration to your toolchain, and then add the Sonarqube tool integration parameter to the pipeline.
Required parameters
To run the SonarQube scan, the pipeline needs the following continuous integration parameters:
| Name | Type | Description | Required or Optional |
|---|---|---|---|
| cluster-name | text | The name of the Docker build cluster. | Required |
| dev-region | text | The IBM Cloud region that hosts the cluster. | Required |
| opt-in-sonar | text | The option to enable the sonarQube scan. | Required |
| sonarqube | tool integration | The Sonarqube tool integration. | Optional |
For more information about pipelines parameters, see Pipeline parameters.
If you add multiple SonarQube tool integrations to your pipeline, you can switch between them by changing the value of the sonarqube pipeline parameter, which is a tool integration parameter.
Updating the quality gate
If you use the SonarQube instance that the pipeline created, you can update the default quality gate.
-
Go to the SonarQube dashboard that was created by the URL from the pipeline logs in the
static-scantask.
Figure 1. SonarQube dashboars -
Click Quality Gates > Create.
-
Set your Quality Gate by using one of the following options:
- Click Set as Default to set the newly created quality gate as the default.
- From the dashboard, select the project and then click Project Settings > Quality Gate to use the newly created quality gate for the project.
-
Specify which quality gate you want to associate with the project. New scans are evaluated by this quality gate and evidence is created by the quality gate's results.
To learn more about SonarQube, see SonarQube Documentation.
Using your own configuration file
You can modify the default configuration without using your own SonarQube instance. Create a sonar-project.properties file in the repo that you want to created the configuration file in. If our script detects an existing configuration sonar-project.properties file in the repo, it uses that file instead of the default file. For more information about possible analysis parameters in the configuration file, see Analysis Parameters here.
Make sure that you add the correct login credentials and host URL to the configuration file.
Using another static scan implementation
You can modify your .pipeline-config.yaml file to add your own custom script to the static-scan stage to use your own static scan implementation.
Configuring SonarQube by using the API
The SonarQube tool integration supports the following configuration parameters that you can use with the Toolchain HTTP API and SDKs when you create, read, and update tool integrations.
You must specify the tool_type_id property in the request body with the sonarqube value.
| Parameter | Usage | Type | Terraform argument | Description |
|---|---|---|---|---|
| blind_connection | optional, updatable, Default: false |
Boolean | blind_connection | Set to true to instruct Continuous Delivery to ignore the configuration validation of this integration. Also, set to true if the SonarQube server is not addressable on the public internet. |
| dashboard_url | required, updatable | String | server_url | The URL of the SonarQube server dashboars for this tool integration. In the graphical UI, the browser goes to this dashboard when you click the SonarQube tool integration card. |
| name | required, updatable | String | name | The name of this tool integration. |
| user_login | optional, updatable | String | user_login | The user ID for authenticating with the SonarQube server. |
| user_password | optional, updatable | Password | user_password | The password or token to authenticate with the SonarQube server. You can use a toolchain secrets reference for this parameter. For more information about secrets references, see Protecting your sensitive data in Continuous Delivery. |