Skip to Content
Technical Articles
Author's profile photo Sarah Lendle

How to Add SonarQube Scans to Your CI/CD Pipeline

In my previous blog post, I’ve outlined the value of SonarQube scans in your development pipeline: Essentially, SonarQube evaluates your code against a set of rules and suggests fixes for the issues found. Integrated into your SAP Continuous Integration and Delivery pipeline, it continuously checks your code’s quality and security, and thereby ensures your applications’ software compliance. 

Sounds good, doesn’t it? This is how it works:

  1. In SAP Continuous Integration and Delivery, either edit an existing job for SAP Cloud Application Programming Model or SAP Fiori applications or create a new one.
    For more information, see Configure an SAP Cloud Application Programming Model Job in the Job Editor or Get Started with an SAP Fiori Project in SAP Continuous Integration and Delivery.
  2. In your own SonarCloud account, which is free to use for open-source projects, or SonarQube on-premises instance, set up a new project and note down the following parameters: 
    • (Only if you use SonarCloud) organization 
    • projectKey 
    • URL of your SonarQube server 
    • a SonarQube token to connect to 
  3. Use this information to configure the SonarQube Scan step in the Compliance stage of your pipeline as shown in the following screenshots:
    For more information, see the actions for configuring the Compliance stage in either Configure an SAP Cloud Application Programming Model Job in the Job Editor or Configure an SAP Fiori in the Cloud Foundry Environment Job in the Job Editor. 
  4. To store the SonarQube token credentials, create a new Secret Text credential in SAP Continuous Integration and Delivery and paste the SONAR_TOKEN environment variable into the Secret field.
    For more information, see Creating Credentials.
  5. Either save or create your job.

As a result, you now receive a code analysis report on SonarQube with every new build of your job.

Quality Gates

Before actually releasing your project, you might want to make sure that its current status meets your expectations. For this purpose, SonarQube lets you define sets of quality and security conditions – so-called quality gates – that must be met before your application is ready for production. 

You can configure your SAP Continuous Integration and Delivery pipeline so that it checks the quality gate status and passes or fails accordingly. To do that, add the following line to the file in your source repository:  


If the quality gate analysis of your project is now successful, the Compliance stage in SAP Continuous Integration and Delivery passes, as well. If it fails, instead, the Compliance stage also fails, and your pipeline doesn’t move on to the Release stage. For more information, see the SonarQube documentation.

SonarQube scans in your CI/CD pipeline help you detect quality and security issues in your code as early as possible. This doesn’t only ensure that you meet your corporate compliance rules and policies, but also saves you valuable time (just think about looking for a needle in a haystack if at the end of your development, some unexpected behavior occurs) and money.  

How do you use them? Let us know. 



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Sarah Lendle
      Sarah Lendle
      Blog Post Author

      While at the beginning, SAP Continuous Integration and Delivery only supported Internet-facing SonarQube instances, it can now also connect to on-premises instances within a company network using Cloud Connector.

      For more information, see Cloud Connector and the Actions for Configuring the Compliance Stage for the pipeline type you use.


      Author's profile photo Fabien HENIQUE
      Fabien HENIQUE

      Hello Sarah,

      Thanks for this blogpost!

      We do have a SonarQube instance, only working in our internal domain.

      I've establish a setup a link using SAP Cloud Connector but compliance step fall in error.

      Can you help on this?

      [2023-08-23T15:19:25.376Z] info  sonarExecuteScan - HTTP client instructed to use proxy
      [2023-08-23T15:19:25.417Z] info  sonarExecuteScan - running command: sonar-scanner -Dsonar.projectKey=XXXXXXXXXXXXXX
      [2023-08-23T15:19:25.459Z] info  sonarExecuteScan - Picked up JAVA_TOOL_OPTIONS: -Dhttp.proxyHost=xxx.xx.x.xxxx -Dhttp.proxyPort=5000
      [2023-08-23T15:19:25.779Z] info  sonarExecuteScan - INFO: Scanner configuration file: /opt/sonar-scanner/conf/
      [2023-08-23T15:19:25.819Z] info  sonarExecuteScan - INFO: Project root configuration file: NONE
      [2023-08-23T15:19:25.862Z] info  sonarExecuteScan - INFO: SonarScanner
      [2023-08-23T15:19:25.906Z] info  sonarExecuteScan - INFO: Java 11.0.19 Alpine (64-bit)
      [2023-08-23T15:19:25.945Z] info  sonarExecuteScan - INFO: Linux 5.15.114-gardenlinux-cloud-amd64 amd64
      [2023-08-23T15:19:26.253Z] info  sonarExecuteScan - INFO: User cache: /opt/sonar-scanner/.sonar/cache
      [2023-08-23T15:19:27.252Z] error sonarExecuteScan - ERROR: SonarQube server [] can not be reached
      [2023-08-23T15:19:27.291Z] info  sonarExecuteScan - INFO: ------------------------------------------------------------------------
      [2023-08-23T15:19:27.328Z] info  sonarExecuteScan - INFO: EXECUTION FAILURE
      [2023-08-23T15:19:27.366Z] info  sonarExecuteScan - INFO: ------------------------------------------------------------------------
      [2023-08-23T15:19:27.404Z] info  sonarExecuteScan - INFO: Total time: 1.881s
      [2023-08-23T15:19:27.443Z] info  sonarExecuteScan - INFO: Final Memory: 3M/14M
      [2023-08-23T15:19:27.479Z] info  sonarExecuteScan - INFO: ------------------------------------------------------------------------
      [2023-08-23T15:19:27.522Z] error sonarExecuteScan - ERROR: Error during SonarScanner execution