Solutions Delivery Platform


SonarQube is a tool used for static code analysis. Static code analysis is validating code as-written against industry standard practices. It will help you find best practice violations and potential security vulnerabilities.

Organizations can define Quality Profiles which are custom rule profiles that projects must use. Quality Gates are then rules defining the organizational policies for code quality. SDP will, by default, fail the build if the Quality Gate fails.

Steps Contributed

Table 1. Steps
Step Description


Leverages the sonar-scanner cli to perform static code analysis and sends results to the configured SonarQube server

Library Configuration Options

Table 2. SonarQube Library Configuration Options
Field Description Default Value


The name of the SonarQube installation configured in Manage Jenkins > Configure System



The Jenkins credential ID to use when authenticating to SonarQube. Can either be a valid username/password or an API Token stored in a Secret Text credential type.

If unset, the library will check if the installation defined via installation_name has a server authorization token configured. If a server authorization token has been provided in the plugin configuration, then that will be the default. If unset, then a credential id of "sonarqube" will be assumed.


Whether or not to wait for SonarQube to send a webhook back to Jenkins notifying with the Quality Gate result



Determine whether the build will fail if the code does not pass the quality gate



Purely aesthetic. The name of the stage block during analysis for pipeline visualization in the Jenkins console.

"SonarQube Analysis"


The number representing how long to wait for the Quality Gate response before timing out






a list of additional CLI analysis parameters to pass the sonar-scanner cli.

[ ]


a list of pre-existing stashes to try to unstash. Useful if a previous step creates compiled classes or test results for SonarQube to inspect.

[ ]

Analysis Parameters

In SonarQube, project analysis settings can be provied to the SonarScanner cli in multiple ways.

The SonarScanner will look for the presence of a file in the current working directory.

Alternatively, users can use this library’s cli_parameters configuration to pass an array of cli analysis parameters to SonarScanner.

For example,

        cli_parameters = [
            "-Dsonar.projectName='My Cool Project'"

Environment Variables

It’s possible to use pipeline environment variables to populate the analysis parameters. This is especially useful when used with one of the source code management libraries to reference the branch name.

Configuration File
sonar.projectName=My Cool Project: ${env.BRANCH_NAME}

CLI Parameters

        cli_parameters = [
            "-Dsonar.projectName=\"My Cool Project: \$BRANCH_NAME\""

External Dependencies

  • A SonarQube server should be deployed

  • The SonarQube Scanner plugin should be installed

  • The SonarQube Installation must be configured in Manage Jenkins > Configure System > SonarQube servers

    • The "Enable injection of SonarQube server configuration as build environment variables" checkbox should be checked


This library supports both username/password and API Token authentication to SonarQube.

If anonymous access is disabled for the SonarQube Server (it probably should be), then you will need to create an API Token and store it as a Secret Text credential in the Jenkins Credential Store for reference in Manage Jenkins > Configure System > Sonarqube servers as the Server authentication token.