How to Add SonarQube Scans to Your CI/CD Pipeline
In my previous blog post, I’ve outlined the value of SonarQube scans in your development pipeline: Essentially, SonarQube evaluates your code against a set of rules and suggests fixes for the issues found. Integrated into your SAP Continuous Integration and Delivery pipeline, it continuously checks your code’s quality and security, and thereby ensures your applications’ software compliance.
Sounds good, doesn’t it? This is how it works:
- In SAP Continuous Integration and Delivery, either edit an existing job for SAP Cloud Application Programming Model or SAP Fiori applications or create a new one.
For more information, see Configure an SAP Cloud Application Programming Model Job in the Job Editor or Get Started with an SAP Fiori Project in SAP Continuous Integration and Delivery.
- In your own SonarCloud account, which is free to use for open-source projects, or SonarQube on-premises instance, set up a new project and note down the following parameters:
- (Only if you use SonarCloud) organization
- URL of your SonarQube server
- a SonarQube token to connect to
- Use this information to configure the SonarQube Scan step in the Compliance stage of your pipeline as shown in the following screenshots:
For more information, see the actions for configuring the Compliance stage in either Configure an SAP Cloud Application Programming Model Job in the Job Editor or Configure an SAP Fiori in the Cloud Foundry Environment Job in the Job Editor.
- To store the SonarQube token credentials, create a new Secret Text credential in SAP Continuous Integration and Delivery and paste the SONAR_TOKEN environment variable into the Secret field.
For more information, see Creating Credentials.
- Either save or create your job.
As a result, you now receive a code analysis report on SonarQube with every new build of your job.
Before actually releasing your project, you might want to make sure that its current status meets your expectations. For this purpose, SonarQube lets you define sets of quality and security conditions – so-called quality gates – that must be met before your application is ready for production.
You can configure your SAP Continuous Integration and Delivery pipeline so that it checks the quality gate status and passes or fails accordingly. To do that, add the following line to the sonar-project.properties file in your source repository:
If the quality gate analysis of your project is now successful, the Compliance stage in SAP Continuous Integration and Delivery passes, as well. If it fails, instead, the Compliance stage also fails, and your pipeline doesn’t move on to the Release stage. For more information, see the SonarQube documentation.
SonarQube scans in your CI/CD pipeline help you detect quality and security issues in your code as early as possible. This doesn’t only ensure that you meet your corporate compliance rules and policies, but also saves you valuable time (just think about looking for a needle in a haystack if at the end of your development, some unexpected behavior occurs) and money.
How do you use them? Let us know.