DEV Community

Arun Kumar
Arun Kumar

Posted on

4 3 4 3 4

Integrating SonarQube with Azure DevOps Pipeline to Enforce Quality Gates

Introduction

Ensuring code quality in CI/CD pipelines is essential to maintain a clean, secure, and maintainable codebase. SonarQube integration with Azure DevOps helps automate this process by evaluating code against pre-defined quality gates, combining checks like code coverage, code smells, and security vulnerabilities. This post walks you through the process of setting up this integration and enforcing quality gates to block unnecessary Pull Requests (PRs).

Step 1: Set Up SonarQube

1. Install SonarQube:

On-premises or use SonarCloud for a cloud-hosted solution.

2. Create a Project:

Set up a new project in SonarQube for your repository.

3. Generate a Token:

Use this token for authenticating Azure DevOps with
SonarQube.

Step 2: Install the SonarQube Extension in Azure DevOps

Navigate to the Extensions Marketplace in Azure DevOps.

Search for "SonarQube" and install it in your organization.

Step 3: Configure SonarQube in Your Pipeline

You’ll use SonarQube tasks like Prepare Analysis, Analyze,
and Publish Quality Gate results.

Pipeline YAML Example:

trigger:
  branches:
    include:
      - develop
      - feature/*

pool:
  vmImage: 'ubuntu-latest'

variables:
  SONARQUBE_ENDPOINT: 'SonarQubeServiceConnection'  # Service connection in Azure DevOps
  SONAR_PROJECT_KEY: 'my_project_key'
  SONAR_ORG: 'my_organization'

steps:
- task: SonarQubePrepare@5
  displayName: 'Prepare SonarQube Analysis'
  inputs:
    SonarQube: $(SONARQUBE_ENDPOINT)
    scannerMode: 'CLI'
    configMode: 'manual'
    cliProjectKey: $(SONAR_PROJECT_KEY)
    cliProjectName: 'My Project'
    cliSources: '.'

- task: DotNetCoreCLI@2
  displayName: 'Run Build and Tests'
  inputs:
    command: 'build'
    projects: '**/*.csproj'

- task: SonarQubeAnalyze@5
  displayName: 'Run SonarQube Analysis'

- task: SonarQubePublish@5
  displayName: 'Publish Quality Gate Result'
  inputs:
    pollingTimeoutSec: '300'
Enter fullscreen mode Exit fullscreen mode

Step 4: Define a Quality Gate in SonarQube

1.Log in to your SonarQube instance.

2.Navigate to Quality Gates.

3.Create a new gate with rules like:

Code coverage ≥ 80%

No blocker or critical issues.

Maintainability rating ≥ B.

SonarQube evaluates every code analysis against this gate and
marks it as passed or failed.

Step 5: Conditional PR Creation

Use the "Publish Quality Gate Result" task in your pipeline
to mark it as failed if the quality gate is not passed.

Example:

- task: PowerShell@2
  displayName: 'Create Pull Request'
  condition: succeeded()  # Proceeds only if the quality gate passed
  inputs:
    targetType: 'inline'
    script: |
      Write-Output "Quality gate passed. Creating PR."
Enter fullscreen mode Exit fullscreen mode

If the quality gate fails, the PR creation task is skipped, preventing low-quality code from entering the main branch.

Key Benefits

1.Unified Quality Check: Combines code coverage, code smells,
and security checks.

2.Prevents Technical Debt: Automatically blocks poorly written
or insecure code.

3.Automation: Enforces quality standards without manual
intervention.

4.Feedback Loop: Provides developers with actionable insights
into code quality.

Conclusion

By integrating SonarQube into Azure DevOps pipelines, you ensure every Pull Request adheres to your organization’s quality standards. This prevents technical debt, enforces better coding practices, and enhances the overall health of your software projects.

Ready to level up your CI/CD pipelines? Let us know your experience in the comments!

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

Eliminate Context Switching and Maximize Productivity

Pieces.app

Pieces Copilot is your personalized workflow assistant, working alongside your favorite apps. Ask questions about entire repositories, generate contextualized code, save and reuse useful snippets, and streamline your development process.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay