DEV Community

Cover image for Integrating SonarQube into Your CI/CD Pipeline: Elevating Code Quality and Security
Lester Diaz Perez
Lester Diaz Perez

Posted on • Edited on

Integrating SonarQube into Your CI/CD Pipeline: Elevating Code Quality and Security

Image description
Adding Sonarqube into our workflow, code and security analysis.

Pre-requisites

  • Read the 1st part
  • Ngrok app

For clarification

I tried to install it on the t2.micro instance but Sonarqube requires 2 gb ram

Requirementes of Sonarqube

We will install it on our local machine to do everything for free at least in this test environment, but in AWS a t2.medium is recommended (it is not free tier).

Deploy Sonarqube

  • Sonarqube compose file
  • cd /path(compose file)
docker-compose up -d
Enter fullscreen mode Exit fullscreen mode

In sonarqube it is typical to find this error when deploying the container.

Image description
The solution is simple paste into the CLI the next code

sudo sysctl -w vm.max_map_count=262144
Enter fullscreen mode Exit fullscreen mode

Opening Sonarqube Web -> http://localhost:9000

Image description

Well as sonarqube is in our localhost now we will expose it to the internet

  • Tunneling app to internet through Ngrok

Image description

Our Sonarqube is now exposed to the internet

Configure Jenkins to add Sonarqube

  1. Go to Jenkins -> Manage Jenkins -> Plugins ->Available plugins
  2. Install SonarQube Scanner

Now we configure the plugin

  1. Manage Jenkins -> System
  2. Search SonarQube servers -> Click Environment variables

Image description

  • Go to SonarQube Web
  • Click in Administration bar -> Security-> Users

Image description

  • Click Token and name it Image description

Now copy the token into the jenkins configuration variable

  • Press Add
  • Kind= Secret text ID and description name them as you wish

Image description

  • Change Server authentication token

Image description

  • Save

CodeQuality Stage

Take a look to the pipeline project

Image description
tools: maven 3.9.6
Go to Manage Jenkins -> Tools -> Maven

Image description

Ready to run the job

  • Build the job
  1. New Item -> Pipeline

Image description
Check the correct branch

run

Image description

Image description

  • Pulsa sobre el icono de sonarqube en la web, y haz click en el proyecto demo

Image description

Quality Gate

What is a quality gate for?
This function is used to wait for a certain time until the code analysis is completed
It's simple to use, just add the next code to the pipeline

stage("Quality Gate") {
      steps {
        timeout(time: 2, unit: 'MINUTES') {
          waitForQualityGate abortPipeline: true
        }
      }
    }
Enter fullscreen mode Exit fullscreen mode

LinkedIn

Top comments (0)