DEV Community

Cover image for Ensure Code Quality with Sonar Quality Gates
Outdated Dev
Outdated Dev

Posted on

Ensure Code Quality with Sonar Quality Gates

#codereview #cicd #programming #softwaredevelopment

Code quality and code standards are important to enable our project growth. They ensure that everyone who reads or touches the codebase will understand what is happening and will deliver quality. It empowers maintainability and readability, reducing the cognitive load, especially in the long term.

One way of improving quality is by using Sonar Quality Gates. Quality gates settings are the best way to implement the Clean as You Code concept by focusing on new code.

SonarQube scan has a lot of predefined metrics for several languages and frameworks that will help you maintain the quality of your code. Let's take a look at those metrics:

SonarQube scanned projects summary screen

Metrics

Security

This is a set of pre-defined metrics focused on security. It has a security rating that indicates how vulnerable your codebase is.

Security Rating (security_rating)

  • A = 0 Vulnerabilities
  • B = at least 1 Minor Vulnerability
  • C = at least 1 Major Vulnerability
  • D = at least 1 Critical Vulnerability
  • E = at least 1 Blocker Vulnerability

Reliability

Indicates how many bugs/issues your code has.

Bugs (bugs): The total number of bug issues.

New Bugs (new_bugs): The number of new bug issues.

Reliability Rating (reliability_rating)

  • A = 0 Bugs
  • B = at least 1 Minor Bug
  • C = at least 1 Major Bug
  • D = at least 1 Critical Bug
  • E = at least 1 Blocker Bug

Maintainability

It refers to how many code smells (code_smells) there are, and is relative to the value of your Technical debt ratio.

Security Hotspots

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you’ll either find there is no threat or you need to apply a fix to secure the code.

The main difference between a hotspot and a vulnerability is the need for review before deciding whether to apply a fix:

  • With a hotspot, a security-sensitive piece of code is highlighted, but the overall application security may not be impacted. It’s up to the developer to review the code to determine whether or not a fix is needed to secure the code.

  • With a vulnerability, a problem that impacts the application’s security has been discovered and needs to be fixed immediately.

Coverage

Condition coverage (branch_coverage): On each line of code containing some boolean expressions, the condition coverage answers the following question: ‘Has each boolean expression been evaluated both to true and to false?’.

Line coverage (line_coverage): On a given line of code, Line coverage simply answers the question ‘Has this line of code been executed during the execution of the unit tests?’.

Coverage (coverage): A mix of Line coverage and Condition coverage. Its goal is to provide an even more accurate answer to the question 'How much of the source code has been covered by the unit tests?'.

Duplications

The number of duplicated blocks of lines. A good indicator of opportunities for refactoring and reusable code.

Interesting Tool, But How Do I Actually Use It?

Good question, the first step is to create a Quality Gate in your SonarCloud space (or ask your company to set one up for you 😊).

Setting Up Your Quality Gate

Assuming your company already has SonarCloud configured, connect to https://sonarcloud.io, navigate to Organizations > Your Organization > Quality Gates, and click the Create button.

Quality Gate configuration example

Edit the conditions as you please, but I suggest that you start with high values for the gate, so you can commit to having a quality standard. You can update those conditions later as your project evolves. That way, in the mid & long term, it will be easier to maintain a quality standard in your repository.

Here is my suggestion:

Recommended Quality Gate

Metric Operator Value
Coverage is less than 70% - 85%
Duplicated Lines (%) is greater than 3% - 5%
Maintainability Rating is worse than A
Reliability Rating is worse than A
Security Hotspots is less than 100%
Security Rating is worse than A

Note: These values are starting points. Adjust them based on your team's needs and project maturity. The key is to focus on new code to implement the "Clean as You Code" philosophy.

After setting up your Quality Gate, you need to configure your CI/CD pipeline to run SonarScanner on every Pull Request / Code Review of your repository, and make sure it blocks the merging if the Quality Gate fails.

Setting Up Your Pipeline

In general, the steps you will need to follow are:

  1. Add commands in your CI to install the scanner
  2. Configure the SONAR_TOKEN environment variable in your CI settings
  3. Add commands to run your tests (at least the unit tests)
  4. Add commands to execute the SonarScanner
  5. Set up your Pull Request pipeline to require that the SonarScanner build passes

Now let's see a couple of examples of how to set up these steps in your pipeline:

.NET Core Example

Install scanner:

dotnet tool install --global dotnet-sonarscanner
Enter fullscreen mode Exit fullscreen mode

Build & Execute the scanner:

dotnet restore YourProject.sln

dotnet sonarscanner begin \
  /o:"organization" \
  /k:"organization_projectname" \
  /d:sonar.token="${SONAR_TOKEN}"

dotnet build YourProject.sln --no-incremental
dotnet test -c Release --collect:"XPlat Code Coverage"

dotnet sonarscanner end /d:"sonar.token=${SONAR_TOKEN}"
Enter fullscreen mode Exit fullscreen mode

Note: Replace organization and organization_projectname with your actual SonarCloud organization and project key. The SONAR_TOKEN should be configured as a secure environment variable in your CI/CD platform.

Python, JS/TS, Go, PHP Example

Download and unzip the SonarScanner for your CI:

export SONAR_SCANNER_VERSION=7.2.0.5079
export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux-x64
curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux-x64.zip
unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
export PATH=$SONAR_SCANNER_HOME/bin:$PATH
Enter fullscreen mode Exit fullscreen mode

Execute the scanner:

sonar-scanner \
  -Dsonar.organization=organization \
  -Dsonar.projectKey=organization_projectname \
  -Dsonar.token="${SONAR_TOKEN}"
Enter fullscreen mode Exit fullscreen mode

Note: Make sure to run your tests and generate coverage reports before running the scanner. SonarScanner will automatically detect coverage reports in common formats (like coverage.xml, lcov.info, etc.).

Once everything is up and running, you will get a report of your projects similar to this one:

Sonar scan report example

Conclusion

Implementing SonarQube Quality Gates is a powerful way to maintain code quality standards in your project. By focusing on new code and setting appropriate thresholds, you can:

  • Prevent technical debt from accumulating
  • Ensure consistent code quality across the team
  • Catch issues early before they reach production
  • Improve maintainability over time

Remember, quality gates are not meant to be punitive, they're a tool to help your team write better code. Start with reasonable thresholds and adjust them as your team and project mature. The goal is continuous improvement, not perfection from day one.

Happy coding! 🚀

Top comments (0)