Solutions Delivery Platform

SonarQube

SonarQube is a tool used for static code analysis. Static code analysis is validating code as-written against industry standard practices. It will help you find best practice violations and potential security vulnerabilities.

Organizations can define Quality Profiles which are custom rule profiles that projects must use. Quality Gates are then rules defining the organizational policies for code quality. SDP will, by default, fail the build if the Quality Gate fails.

Steps Contributed

Table 1. Steps
Step	Description
`static_code_analysis()`	Leverages the sonar-scanner cli to perform static code analysis and sends results to the configured SonarQube server

Library Configuration Options

Table 2. SonarQube Library Configuration Options
Field	Description	Default Value
credential_id	The Jenkins credential ID corresponding to a username/password credential to authenticate to the configured SonarQube server	"sonarqube"
enforce_quality_gate	Determine whether the build will fail if the code does not pass the quality gate	true

Example Configuration Snippet

libraries{
  sonarqube{
    credential_id = "sonarqube"
  }
}

Sonar Scanner Configurations

Extra configuration options are available by leveraging SonarQube’s sonar-project.properties file. the sonar-project.properties file should be added to root of the source repositoy.

External Dependencies

SonarQube must already be deployed. Reference the deployment script for SDP.
Jenkins must have a credential to access SonarQube, this is done by default when using the deployment script.
The SonarQube URL must be configured in Manage Jenkins > Configure System

Troubleshooting

FAQ

Slack

Sysdig Secure