Tuesday 17 July 2018

Introduction to SonarQube - Continuous code quality

In this post, we will see the uses and benefits of SonarQube.

One of the important process in CI/CD is code scan wherein it scans the code for code smells, vulnerabilities, non-standard code etc.

To maintain good code quality, it requires continuous scanning of code after each code-checkin. One of the important tool for code scanning is SonarQube which doesn't only scans the code but provide details about its standard and list out where all the issue with its quality. SonarQube job is to provide you with Blockers (i.e. code that is poorly written that can potentially cause issues with the application running in production), critical, major and minor. It also presents you with a value of how much standard your code is. SonarQube currently supports 21 language. Even you can scan your code directly without writing any linting configuration. 

SonarQube scans the code by using methodology called as Quality Gates. This means each scan that we do on our code is by comparing our code with the quality gates. SonarQube has a default quality gate called “SonarQube way”. Whenever we scan the code, it is scanned against default quality gate “SonarQube way” and results are displayed. SonarQube also gives us the ability to configure our own Quality Gate.

SonarQube Quality gates are the best way to ensure that standards are met and regulated across all the projects and every developer oblige it in the organization.  Quality gates are defined with set of threshold measures set on your project like code coverage, technical debt measure (which can increase software entropy), number of blockers/critical issues, security rating, unit test pass rate etc.
In order to pass a Quality gate, the project should pass through each of the thresholds defined and it is just a set of conditions the project must meet before it can qualify for production release. When SonarQube runs it will identify if the code meets all the quality thresholds we have defined – else it will fail the quality gate and will not allow you to check in code to the Source code system. 

It also acts as a gatekeeper for bad code when it is integrated with repository tool like GitHub. GitHub provides a way to not allow merging of code (i.e. Pull request) if SonarQube scan fails. Using Quality Gates, we can also scan for new issues that may arise with our new code which is being written.

We can define a quality gate in SonarQube by using an option "create a Quality gate". This is the place where we configure the thresholds for the project / code to meet. After configuring quality gate, it need to be assigned to the project. After assigning, the subsequent scan on the project will be scanned against the quality gates.

That's all the brief introduction to SonarQube. If you have a question / comment, please mention in comment section. Thanks!

No comments:

Post a Comment