DEV Community

Cover image for Detect Bugs & Vulnerabilities and get instant feedback. Lumen - Sonarcloud Integration
Iqbal Syahrul Siddiq
Iqbal Syahrul Siddiq

Posted on

Detect Bugs & Vulnerabilities and get instant feedback. Lumen - Sonarcloud Integration

What is Sonarcloud ?

SonarCloud is a cloud-based code analysis service designed to detect coding issues in 26 different programming languages. By integrating directly with your CI pipeline or one of our supported DevOps platforms, your code is checked against an extensive set of rules that cover many attributes of code, such as maintainability, reliability, and security issues on each merge/pull request. As a core element of our Sonar solution, SonarCloud completes the analysis loop to help you deliver clean code that meets high-quality standards.

Dev Cycle

SonarCloud uses state-of-the-art techniques in static code analysis to find problems and potential problems in the code that you and your team write. Static analysis is called static because it does not rely on actually running the code. As a result, SonarCloud offers an additional layer of verification, different from automated testing and manual code review. Its powerful set of language-specific analyzers uses thousands of rules to track down hard-to-find bugs and quality issues - from simple coding mistakes, and tricky bugs, to advanced issues and security vulnerabilities such as injection flaws. Early detection of problems during static analysis ensures that fewer issues get through to the later stages of the process and ultimately helps to increase the overall quality of your production code.

As a core element of our Sonar solution, SonarCloud integrates into your existing workflow and detects issues in your code to help you perform continuous code inspections of your projects. It achieves this by integrating into your CI pipeline or DevOps platform thus, extending your DevOps experience by importing your projects and performing automated code checks within minutes. SonarCloud works with:

  • Github
  • Bitbucket Cloud
  • Azure DevOps
  • Gitlab

SonarCloud does not work with on-premises code repositories. For on-premise support.

In this tutorial, i would like to tell you how to integrated Sonarcloud. Make simple dev-cylce (Laravel, Gitlab, and Sonarcloud)

Create Workspace / Project Group in Gitlab

Image description

  • On the sidebar, click "Group"

Image description

  • Click "New Group" button (if you want to make new project group)

Image description

  • Click "Create Group"

Image description

  • Fill out the form, choose your permission access for your workspace (public / private), in this tutorial i will choose "public", and submit "Create Group"

  • Sonarcloud need personal access token from your Gitlab account. So, you have to generate your token, open your account setting menu, or click on this link : https://gitlab.com/-/profile/personal_acc

  • Click "add new token"

Image description

  • You have to fill token name , expiration date& checked api option
  • Click "create personal access token button
  • Copy, yor personal access token to some notes (important : you only can copy token in first time after token generated, make sure you saved it)

Image description

Register Sonarcloud Account

Image description

  • Click on "Sign Up" button

Image description

  • You can choose account that's you want to integrated, in this tutorial i will using gitlab account , click on gitlab button

Image description

  • Next, please click on authorize (Sonarcloud require access to Gitlab repository)

Image description

  • If it's your first time using Sonarcloud, you will see this blank page. It's mean nothing project exist in your account

Image description

Let's continue

Setup Sonarcloud

  • Next, you have to setup sonarcloud, from the blank page, click on button analyze new project

Image description

  • Click Import a new Organization

Image description

  • Next, in this tutorial i want to integrated Sonarcloud with some my personal workspace / project group in Gitlab, so, click in Import any Gitlab group (if you choose for import private gitlab you have to paid to Sonarcloud / nothing free package)

Image description

  • Copy and paste your personal access token
  • Copy and paste your group id as group key value (you can fund group id on group setting (Group -> select your group -> setting -> general)

Image description

  • Click "Continue"
  • Next, scroll down page, and you have to choose a plan (in this tutorial i will try free version)

Image description

  • Click "create organization"
  • Great, your sonarcloud setup is done, next let's back to Gitlab repository

Image description

Create a new project in workspace / group Gitlab (for testing)

  • Open your gitlab group, and create new project

Image description

  • In this tutorial, i will upload my mini project using Lumen (Laravel Microframework) to gitlab group project *actually you can using another framework, setup process is same.

  • Click create blank project

Image description

  • Fill the form, and click create project (if you want to use free version sonarcloud, please choose "public access" on your project)

Image description

Registered project into Sonarcloud

  • Click on analyze a new project button

Image description

  • Sonarcloud will check and listed your public project in workspace

Image description

  • Select the project, and click setup

Image description

  • Choose previous version or number of days (it's based on your preferences, you can change anytime). In this tutorial, i will choose previous version

Image description

  • Click create project
  • Choose With Gilab CI/CD pipeline for analysis method

Image description

  • You have to add some Sonarcloud credential (token variable and URL) to your Gitlab repository, please follow instructions

Image description

  • Add credential

Image description

  • Next, you have to add a new file .yml (.gitlab-ci.yml) to your project folder root. Choose your programming languages, make sure it's match (In this tutorial i using Lumen, so i choose PHP version)

Image description

variables:
  SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
  GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
sonarcloud-check:
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - sonar-scanner
  only:
    - merge_requests
    - main
    - develop

Enter fullscreen mode Exit fullscreen mode

In the last line of code, you have to make sure branch names repository is correct, as default Sonarcloud named main branch as "master", but in gitlab, main branch named as "main", so you have to change "master" to "main"

You can add the branch name when the Sonarcloud will analysis your code.

  • In the last step of instructions, you have to create a new file (sonar-project.properties)
sonar.projectKey=open-for-public_lumen-restfull-api-with-jwt-authentication
sonar.organization=open-for-public

# This is the name and version displayed in the SonarCloud UI.
#sonar.projectName=Lumen Restfull API With JWT Authentication
#sonar.projectVersion=1.0


# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
#sonar.sources=.

# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8
Enter fullscreen mode Exit fullscreen mode

Image description

  • You're Done

Testing

  • Push your code using git command
  • Open my project menu in Sonarcloud sites

Image description

  • After push process finish, refresh my project page in Sonarcloud (it'usually takes 1 - 3 minute of analysis process, depend on line of number line of code.)

  • If analysis finish, the result will show in page

Image description

Image description

Image description

Great, you're done, i hope this article help you. See you on the next post

Top comments (0)