Static analysis using SonarQube

SonarQube is a widely used platform for continuous inspection of code quality. It performs automatic reviews with static analysis of code to detect bugs, vulnerabilities, and code smells and also provides code rating considering few quality dimensions like Security, Reliability and Maintainability. This guide provides a step-by-step walkthrough of setting up and using SKAO SonarQube server, supplemented with screenshots for clarity. In SKAO we have set up SonarQube Community Build server on STFC.

SKAO GitLab Project Integration with SonarQube

1. Accessing SonarQube

Login on SonarQube
Microsoft Login on SonarQube

  • Once logged in, you will land on the SonarQube Dashboard where all currently imported projects are listed.

SonarQube Dashboard

2. Creating a New Project

  • Navigate to: Projects → Create Project

  • Select import method: Import from other DevOps platform

Import New Project

  • You will be prompted to enter a GitLab personal access token.

Enter Access Token for SonarQube

  • After saving the token, a list of SKAO GitLab projects will appear.

SKAO Projects list on SonarQube

  • Import the targeted project(s) for analysis.

  • Set your new code definition and click Create Project.

SonarQube Code Definition

3. Setting up Project Analysis

  • After project creation, you will be prompted to set up code analysis.

  • Select GitLab CI.

Setting SonarQube CI Analysis

  • Copy the individual project sonar-project.properties.

SonarQube Project Properties for CI Analysis

  • Generate the SonarQube token - this will be used as the SONAR_TOKEN CI/CD variable for the scanner.

Sonar Token per project

4. Integrating with CI/CD Pipeline

  • For your GitLab project:

    • Add SONAR_TOKEN as a CI/CD variable using the value generated above.

    • The SONAR_URL variable is already available as a group variable, no need to add it manually.

    • Create sonar-project.properties file in your project root and paste the copied properties into it.

    • Include sonar-scan job using the following snippet, sonar-scan runs under scan stage.

Note

SonarQube to show correct test coverage for the scanned gitlab project, specific source and coverage report parameters needs to be added in your sonar-project.properties file. The main references:

include:
   - project: 'ska-telescope/templates-repository'
     file: 'gitlab-ci/includes/sonar-scan.gitlab-ci.yml'

  • Commit the changes to GitLab and ensure the sonar-scanner job passes.

5. Verifying Results

  • After the sonar-scanner job completes (passed/failed/warnings), navigate back to the SonarQube dashboard.

  • Open your project to view:

    • Duplications

    • Vulnerabilities

    • Code Smells

    • Coverage

Note

SonarQube Quality Profiles, Gates and their associated rules are currently under revision. The results and rule violations shown in SonarQube should therefore be treated as advisory. The main pipeline checks remain the authoritative source for SKAO code style and guideline compliance.

6. Next Steps

  • Set Quality Gates to enforce minimum code quality standards.

  • Consider using the SonarQube IDE plugin to fix reported issues directly from your development environment.

Conclusion

By following these steps, you can integrate SonarQube into your development workflow to continuously monitor and improve code quality.

Over time, this helps:

  • Reduce technical debt

  • Improve maintainability

  • Ensure more secure applications