- DarkLight
SonarQube: Overview
SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.
Setting Up SonarQube in AutoRABIT
If you want to integrate all the functionality included in your SonarQube license with AutoRABIT, you need to integrate SonarQube as a plugin with your AutoRABIT account. However, it does require some steps in SonarQube as well as in your AutoRABIT account to get it configured.
Step 1: Generate a SonarQube Token
- Log in to your SonarQube instance.
- Go to User > My Account > Security. Your existing tokens are listed here, each with a Revoke button.
- The form at the bottom of the page allows you to generate new tokens. Once you click the Generate button, you will see the token value. Copy it immediately; once you dismiss the notification you will not be able to retrieve it.
- This token will be used while storing your credential with AutoRABIT.
Step 2: Store your SonarQube's credential in AutoRABIT
This is an initial step where your SonarQube credential such as username and password is stored in AutoRABIT.
- Log in to your AutoRABIT account.
- Hover your mouse over the Admin module and click on the Credentials tab.
- Next, click on Create Credential from the right navigation bar.
- On the next pop-up screen, give a Credential name.
- Choose the Credential Type as 'User name with Password'.
- Choose your Credential Scope
- Global: Credential can be accessed within the team
- Private: Credential for private usage
- Enter your SonarQube account's username. For password, use the copied token as mentioned in Step 1: Create a SonarQube Token
- Please double-check that you use your SonarQube username instead of the email address that you use to log in to SonarQube.
- Click Save.
Step 3: Integrate sonarQube with AutoRABIT
If you're logged out from your account, log in again into AutoRABIT with your credentials.
- Go to Admin > My Account section.
- Go to the Plugins section.
- Check the SonarQube checkbox under Static Code Analysis.
- Fill in the below details:
- Enter the SonarQube hosted URL. For the SonarQube cloud version use https://sonarcloud.io
- Choose the Host Type i.e., Cloud or On-premise. For SonarQube hosted on Cloud, you need to add the Organization Key.
- Select your Credential from the drop-down.
- Click Test Connection to check if the connection has been authenticated or not. A success message is displayed after the authentication is completed.
- Click Save.
- Click on Save once again and you are all set with SonarQube integration.
Step 4: Setting SonarQube Global Criteria Settings
You can now set the global Quality Gate criteria to enforce SonarQube Static code analysis tool across CI Jobs, Deployment, and gated Commits. The Quality Gate gives you a Pass or Fail rating for your project in the SonarQube tool depending on the metrics you have provided. Based on the criteria configured in AutoRABIT and if it matches in your SonarQube account, the process gets aborted.
- Go to Admin > My Account section.
- Next, navigate to the Validation Criteria-Static Code Analysis section.
- Select the Enable checkbox.
- Enable the SonarQube checkbox and assign the Quality Gate status for all your projects. By default, it is set to ERROR, however, you can choose the criteria of your own. If the Quality Gate matches with the status assigned to the projects on your SonarQube tool, the validation process gets failed and the build aborts.
- Click Save.
- Next, go to the next section i.e., Commit Validation - Approval Settings. In this section, you can allow the SonarQube tool to identifying potential software quality issues before the code moves to production and abort the commit process if the Quality Gate set earlier matches with the status in the SonarQube application.
- Select the checkbox: Enable criteria based Review Process
- Enable the Should pass validation criteria for Static Code Analysis checkbox, select the below checkboxes:
- SonarQube
- Auto reject commit process if the criteria are not met
- Click Save.
- Similar to SonarQube criteria globally configured in AutoRABIT for Commit operation, you can even set the same for Merge Process. Go to the next section: Merge Settings
- Select the Enable criteria-based Review Process checkbox.
- Under Should pass validation criteria for Static Code Analysis, select the SonarQube checkbox.
- Finally, click on Save.