Integrating SonarQube with Azure DevOps Pipeline to Enforce Quality Gates

Introduction

Ensuring code quality in CI/CD pipelines is essential to maintain a clean, secure, and maintainable codebase. SonarQube integration with Azure DevOps helps automate this process by evaluating code against pre-defined quality gates, combining checks like code coverage, code smells, and security vulnerabilities. This post walks you through the process of setting up this integration and enforcing quality gates to block unnecessary Pull Requests (PRs).

Step 1: Set Up SonarQube

1. Install SonarQube:

On-premises or use SonarCloud for a cloud-hosted solution.

2. Create a Project:

Set up a new project in SonarQube for your repository.

3. Generate a Token:

Use this token for authenticating Azure DevOps with
SonarQube.

Step 2: Install the SonarQube Extension in Azure DevOps

Navigate to the Extensions Marketplace in Azure DevOps.

Search for "SonarQube" and install it in your organization.

Step 3: Configure SonarQube in Your Pipeline

You’ll use SonarQube tasks like Prepare Analysis, Analyze,
and Publish Quality Gate results.

Pipeline YAML Example:

trigger:
  branches:
    include:
      - develop
      - feature/*

pool:
  vmImage: 'ubuntu-latest'

variables:
  SONARQUBE_ENDPOINT: 'SonarQubeServiceConnection'  # Service connection in Azure DevOps
  SONAR_PROJECT_KEY: 'my_project_key'
  SONAR_ORG: 'my_organization'

steps:
- task: SonarQubePrepare@5
  displayName: 'Prepare SonarQube Analysis'
  inputs:
    SonarQube: $(SONARQUBE_ENDPOINT)
    scannerMode: 'CLI'
    configMode: 'manual'
    cliProjectKey: $(SONAR_PROJECT_KEY)
    cliProjectName: 'My Project'
    cliSources: '.'

- task: DotNetCoreCLI@2
  displayName: 'Run Build and Tests'
  inputs:
    command: 'build'
    projects: '**/*.csproj'

- task: SonarQubeAnalyze@5
  displayName: 'Run SonarQube Analysis'

- task: SonarQubePublish@5
  displayName: 'Publish Quality Gate Result'
  inputs:
    pollingTimeoutSec: '300'

Step 4: Define a Quality Gate in SonarQube

1.Log in to your SonarQube instance.

2.Navigate to Quality Gates.

3.Create a new gate with rules like:

Code coverage ≥ 80%

No blocker or critical issues.

Maintainability rating ≥ B.

SonarQube evaluates every code analysis against this gate and
marks it as passed or failed.

Step 5: Conditional PR Creation

Use the "Publish Quality Gate Result" task in your pipeline
to mark it as failed if the quality gate is not passed.

Example:

- task: PowerShell@2
  displayName: 'Create Pull Request'
  condition: succeeded()  # Proceeds only if the quality gate passed
  inputs:
    targetType: 'inline'
    script: |
      Write-Output "Quality gate passed. Creating PR."

If the quality gate fails, the PR creation task is skipped, preventing low-quality code from entering the main branch.

Key Benefits

1.Unified Quality Check: Combines code coverage, code smells,
and security checks.

2.Prevents Technical Debt: Automatically blocks poorly written
or insecure code.

3.Automation: Enforces quality standards without manual
intervention.

4.Feedback Loop: Provides developers with actionable insights
into code quality.

Conclusion

By integrating SonarQube into Azure DevOps pipelines, you ensure every Pull Request adheres to your organization’s quality standards. This prevents technical debt, enforces better coding practices, and enhances the overall health of your software projects.

Ready to level up your CI/CD pipelines? Let us know your experience in the comments!