Skip to main content
HashnodeDev Matters

Command Palette

Search for a command to run...

Quick Start SonarQube for Lazy People

Published
2 min read
M
Marcelo Beccari

Introduction

In this article, I will show how to give a taste of SonarQube without any hassle or taking too much time of yours.

Sometimes you just want to try a new tool but don't want to install Gigabytes of software on your computer or even want to read tons of explanation texts.

About SonarQube

SonarQube is a code quality and code security tool that helps teams to deliver safer and better code.

There is a free community edition with limited features that you can run on your own server. Check the available editions at https://www.sonarqube.org/downloads/

You can find more about SonarQube on official website https://www.sonarqube.org/

Taking the Best of SonarQube

The best way to use SonarQube in my opinion is to attach it to your CI/CD pipelines as an active Quality Gate solution.

This way, it is guaranteed that no major security vulnerabilities or bad coding practices go to production. Here you can find examples for Jenkins https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-jenkins/

Try before buy

So this is the fastest way one can try SonarQube with less effort and see what benefits SonarQube can bring to your project and your team.

TL;DR

SonarQube Server

Start the server listening on port 9000 

docker run --rm -p9000:9000 sonarqube:lts-community

Access http://localhost:9000/account/security and go to Generate Token

Copy the new generated token e.g. c402a1a4e1b1e5a12e67ebfd5ec4f5403a0a0903. This will be used in the next part.

Prepare your Project

On your project root, add a sonar-project.properties file with the following content

# must be unique in a given SonarQube instance
sonar.projectKey=my-project-key

# --- optional properties ---

# defaults to project key
#sonar.projectName=My project
# defaults to 'not provided'
#sonar.projectVersion=1.0

# Path is relative to the sonar-project.properties file. Defaults to .
#sonar.sources=.

# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8

You may also want to add these lines to .gitignore and .dockerignore

...

# Ignore SonarQube scanner generated files
.scannerwork

...

Sonar Scanner

While in your project's root folder, run the following command: 

docker run --rm -e SONAR_HOST_URL="http://host.docker.internal:9000" -e SONAR_LOGIN="c402a1a4e1b1e5a12e67ebfd5ec4f5403a0a0903" -v "$PWD":/usr/src sonarsource/sonar-scanner-cli

where c402a1a4e1b1e5a12e67ebfd5ec4f5403a0a0903 is the generated token on previous step. Please replace with your own token.

Go to http://localhost:9000/projects and see your project rating and other cool stuff provided by SonarQube.

#docker#security#coding

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Dev Matters

2 posts