Mastering Sonar from Scratch: A Beginner’s Guide

Introduction :

Why Sonar ?

Sonar (SonarQube & SonarCloud) helps developers identify and fix code issues before they become critical. It enforces clean code practices, making software easier to maintain over time.

Why Should Developers Use Sonar?

Are you looking to improve code quality, detect bugs early, and enhance software security? Sonar (SonarQube and SonarCloud) is a powerful tool that helps developers analyze code for vulnerabilities, maintainability, and performance issues

In this guide, you’ll learn:

  1. What Sonar is and why it’s essential for developers
  2. How to install, configure, and integrate Sonar with your projects
  3. Best practices to automate code analysis for clean, high-quality code

 

Understanding Sonar and Its Variants

 

SonarQube 

Hosting Self-hosted (On-premise)

Setup & Maintenance Requires manual installation and updates

Integration Works with Jenkins, GitHub, GitLab, Bitbucket

Cost Free (Community Edition) or Paid (Enterprise & Developer Editions)

Ideal For Large teams, organizations needing full control

 

SonarCloud

Hosting Cloud-based (SaaS)

Setup & Maintenance No setup required, fully managed

Integration Deep integration with GitHub, GitLab, Bitbucket, Azure DevOps

Cost Free for open-source projects, Paid for private repositories

Ideal For Agile teams, startups, and cloud-native development

 

SonarQube if you need full control, on-premise security, and custom configurations.

SonarCloud if you prefer a hassle-free cloud solution with automatic updates.

 

Installing and Setting Up Sonar

Go through the guided sonar cloud configuration

 

 

Integrating Sonar with Your Project

 

Code Section

Sonar.yml
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
name: SonarQube Scan
on:
push:
branches:
- main
- '**'
pull_request:
branches:
- main
workflow_dispatch:
jobs:
sonarQube:
name: SonarQube Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: 17
distribution: temurin # Specify the JDK distribution
- name: Cache Gradle dependencies
uses: actions/cache@v3
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
restore-keys: |
${{ runner.os }}-gradle-
- name: Build the project
run: ./gradlew build --warning-mode all
- name: Run SonarQube Scan
run: ./gradlew sonarqube
env:
SONAR_HOST_URL: https://sonarcloud.io
SONAR_LOGIN: "your token here"
SONAR_PROJECT_KEY: "project_key_here"
SONAR_ORGANIZATION: "your_organization"
#SONAR_BRANCH_NAME: "main"
name: SonarQube Scan on: push: branches: - main - '**' pull_request: branches: - main workflow_dispatch: jobs: sonarQube: name: SonarQube Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - name: Set up JDK 17 uses: actions/setup-java@v3 with: java-version: 17 distribution: temurin # Specify the JDK distribution - name: Cache Gradle dependencies uses: actions/cache@v3 with: path: ~/.gradle/caches key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} restore-keys: | ${{ runner.os }}-gradle- - name: Build the project run: ./gradlew build --warning-mode all - name: Run SonarQube Scan run: ./gradlew sonarqube env: SONAR_HOST_URL: https://sonarcloud.io SONAR_LOGIN: "your token here" SONAR_PROJECT_KEY: "project_key_here" SONAR_ORGANIZATION: "your_organization" #SONAR_BRANCH_NAME: "main"
name: SonarQube Scan

on:
  push:
    branches:
      - main
      - '**'
  pull_request:
    branches:
      - main
  workflow_dispatch:


jobs:
  sonarQube:
    name: SonarQube Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          java-version: 17
          distribution: temurin # Specify the JDK distribution

      - name: Cache Gradle dependencies
        uses: actions/cache@v3
        with:
          path: ~/.gradle/caches
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: |
            ${{ runner.os }}-gradle-

      - name: Build the project
        run: ./gradlew build --warning-mode all

      - name: Run SonarQube Scan
        run: ./gradlew sonarqube
        env:
          SONAR_HOST_URL: https://sonarcloud.io
          SONAR_LOGIN: "your token here"
          SONAR_PROJECT_KEY: "project_key_here"
          SONAR_ORGANIZATION: "your_organization"
          #SONAR_BRANCH_NAME: "main"

 

sonar-project.properties
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# Project identification
sonar.projectKey="your_projectkey_here" # Replace with your actual project key
sonar.organization="your_organization_here" # Replace with your actual SonarCloud organization name
#sonar.branch.name=main
# SonarQube server URL
sonar.host.url=https://sonarcloud.io # Replace with your self-hosted SonarQube URL if applicable
# Authentication (token should be set as an environment variable in your CI/CD pipeline)
sonar.login="your_token_here" # Use an environment variable for security
# Source and test directories
sonar.sources=src/main/java # Specify the source directory
sonar.tests=src/test/java # Specify the test directory
# Binary directories for compiled classes
sonar.java.binaries=build/intermediates/classes/debug # Update based on your project's build output
# Exclude patterns
sonar.exclusions=**/test/**,**/build/** # Exclude test and build directories
# Include patterns (optional)
sonar.inclusions=**/*.java # Include only Java files for analysis (if needed)
# Coverage report paths (optional, comment out if unused)
# sonar.coverageReportPaths=build/reports/jacoco/testDebugUnitTestReport.xml
# Source encoding
sonar.sourceEncoding=UTF-8
# Project identification sonar.projectKey="your_projectkey_here" # Replace with your actual project key sonar.organization="your_organization_here" # Replace with your actual SonarCloud organization name #sonar.branch.name=main # SonarQube server URL sonar.host.url=https://sonarcloud.io # Replace with your self-hosted SonarQube URL if applicable # Authentication (token should be set as an environment variable in your CI/CD pipeline) sonar.login="your_token_here" # Use an environment variable for security # Source and test directories sonar.sources=src/main/java # Specify the source directory sonar.tests=src/test/java # Specify the test directory # Binary directories for compiled classes sonar.java.binaries=build/intermediates/classes/debug # Update based on your project's build output # Exclude patterns sonar.exclusions=**/test/**,**/build/** # Exclude test and build directories # Include patterns (optional) sonar.inclusions=**/*.java # Include only Java files for analysis (if needed) # Coverage report paths (optional, comment out if unused) # sonar.coverageReportPaths=build/reports/jacoco/testDebugUnitTestReport.xml # Source encoding sonar.sourceEncoding=UTF-8
# Project identification
sonar.projectKey="your_projectkey_here"  # Replace with your actual project key
sonar.organization="your_organization_here"           # Replace with your actual SonarCloud organization name
#sonar.branch.name=main
# SonarQube server URL
sonar.host.url=https://sonarcloud.io       # Replace with your self-hosted SonarQube URL if applicable

# Authentication (token should be set as an environment variable in your CI/CD pipeline)
sonar.login="your_token_here"                 # Use an environment variable for security

# Source and test directories
sonar.sources=src/main/java                # Specify the source directory
sonar.tests=src/test/java                  # Specify the test directory

# Binary directories for compiled classes
sonar.java.binaries=build/intermediates/classes/debug  # Update based on your project's build output

# Exclude patterns
sonar.exclusions=**/test/**,**/build/**    # Exclude test and build directories

# Include patterns (optional)
sonar.inclusions=**/*.java                 # Include only Java files for analysis (if needed)

# Coverage report paths (optional, comment out if unused)
# sonar.coverageReportPaths=build/reports/jacoco/testDebugUnitTestReport.xml

# Source encoding
sonar.sourceEncoding=UTF-8

 

Leave a Comment