Sonarcloud is a static code analysis tool. This means that it checks out the code at your repository, does an analysis and shows you the results. It may look something like this:
It gives detailed information about your code and you can for example let it scan if you leaked a password. SonarCloud is 100% free for open source projects. For private projects this product is paid.
In this article I will discuss how you can connect sonarcloud with azure pipelines. The existing documentation here and here is at the moment of writing a bit outdated. It covers how you can connect sonarcloud with azure pipelines with the classic release interface. Microsoft recommends that you migrate to the new YAML interface. So in this blog article I will show you how to connect sonarcloud with azure pipelines in the YAML interface. This tutorial shows you the basic concepts too.
Set up sonarcloud
- Go to sonarcloud.io and add your project.
- Since we’re using Java we can’t use automatic analysis. The language is not compatible, because it’s a compiled language
- Click on other CI tools
- Click on maven
- It will create some properties for your pom.xml. Do NOT copy the sonar.login property to your pom.xml. This is a generated secret and you don’t want it in your source code. Copy this value, we’re going to use it in the next step
- Copy the rest of the values to your pom.xml and push it to the repository.
Couple sonarcloud with your azure DevOps
First create a DevOps project. Add the sonarcloud plugin to the project.
- Go to project settings in the lower left corner
- Click on service connections
- Next click on New service connection and search for sonarcloud.
- In the dialog enter the Cloud token you generated earlier (the sonar.login value) in the SonarCloud Token field. Give it a name for the Service connection name. I called it sonarcloud
Add sonarcloud to your pipeline
- Open the pipeline edit interface in Azure Pipelines
- In the tasks menu add the Prepare Analysis Configuration task. Select the service connection you created and click on your organization.
- Select integrate with Maven or Gradle and add the task. This must be set up before your actual maven task
- Add your maven task. Make sure it has the goals ‘clean verify sonar:sonar’ and the option codeCoverageToolOption (if you want code coverage). I am using Jacoco, but you can also use Cobertura. For the maven options: clean cleans the target directory, verify creates the jacoco report and sonar:sonar makes sonar analyse the repository.
- After the maven task add the Run Code analysis task.
- Next add the Publish Quality Gate Result task.
- That’s it! If you push to your repository now you’ll see that sonarcloud is integrated in your pull requests (if this is supported) and analyses your master branch on a push master.
The code may look something like this:
trigger: - master pool: vmImage: 'ubuntu-latest' steps: - task: SonarCloudPrepare@1 inputs: SonarCloud: 'sonarcloud' organization: 'YOURORGANIZATION' scannerMode: 'Other' - task: Maven@3 inputs: mavenPomFile: 'pom.xml' goals: 'clean verify sonar:sonar' publishJUnitResults: true testResultsFiles: '**/surefire-reports/TEST-*.xml' codeCoverageToolOption: JaCoCo javaHomeOption: 'JDKVersion' jdkVersionOption: '1.11' mavenVersionOption: 'Default' - task: SonarCloudAnalyze@1 - task: SonarCloudPublish@1
This is a very simple solution to the problem. I found it pretty hard to figure out how you’re suppossed to this since there’s a lot of legacy about this feature. There’s for example the Run SonarQube analysis in the maven task, but this is legacy and shouldn’t be used.
I hope this blog article will bring some clarification on the topic. Be aware that this solution may become outdated, regarding the note Microsoft left us on the tutorial I linked in the beginning of this article.