Introduction :
Why Sonar ?
Sonar (SonarQube & SonarCloud) helps developers identify and fix code issues before they become critical. It enforces clean code practices, making software easier to maintain over time.
Why Should Developers Use Sonar?
Are you looking to improve code quality, detect bugs early, and enhance software security? Sonar (SonarQube and SonarCloud) is a powerful tool that helps developers analyze code for vulnerabilities, maintainability, and performance issues
In this guide, you’ll learn:
- What Sonar is and why it’s essential for developers
- How to install, configure, and integrate Sonar with your projects
- Best practices to automate code analysis for clean, high-quality code
Understanding Sonar and Its Variants
SonarQube
Hosting Self-hosted (On-premise)
Setup & Maintenance Requires manual installation and updates
Integration Works with Jenkins, GitHub, GitLab, Bitbucket
Cost Free (Community Edition) or Paid (Enterprise & Developer Editions)
Ideal For Large teams, organizations needing full control
SonarCloud
Hosting Cloud-based (SaaS)
Setup & Maintenance No setup required, fully managed
Integration Deep integration with GitHub, GitLab, Bitbucket, Azure DevOps
Cost Free for open-source projects, Paid for private repositories
Ideal For Agile teams, startups, and cloud-native development
SonarQube if you need full control, on-premise security, and custom configurations.
SonarCloud if you prefer a hassle-free cloud solution with automatic updates.
Installing and Setting Up Sonar
Go through the guided sonar cloud configuration
Integrating Sonar with Your Project
Code Section
Sonar.yml
name: SonarQube Scan on: push: branches: - main - '**' pull_request: branches: - main workflow_dispatch: jobs: sonarQube: name: SonarQube Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - name: Set up JDK 17 uses: actions/setup-java@v3 with: java-version: 17 distribution: temurin # Specify the JDK distribution - name: Cache Gradle dependencies uses: actions/cache@v3 with: path: ~/.gradle/caches key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} restore-keys: | ${{ runner.os }}-gradle- - name: Build the project run: ./gradlew build --warning-mode all - name: Run SonarQube Scan run: ./gradlew sonarqube env: SONAR_HOST_URL: https://sonarcloud.io SONAR_LOGIN: "your token here" SONAR_PROJECT_KEY: "project_key_here" SONAR_ORGANIZATION: "your_organization" #SONAR_BRANCH_NAME: "main"
sonar-project.properties
# Project identification sonar.projectKey="your_projectkey_here" # Replace with your actual project key sonar.organization="your_organization_here" # Replace with your actual SonarCloud organization name #sonar.branch.name=main # SonarQube server URL sonar.host.url=https://sonarcloud.io # Replace with your self-hosted SonarQube URL if applicable # Authentication (token should be set as an environment variable in your CI/CD pipeline) sonar.login="your_token_here" # Use an environment variable for security # Source and test directories sonar.sources=src/main/java # Specify the source directory sonar.tests=src/test/java # Specify the test directory # Binary directories for compiled classes sonar.java.binaries=build/intermediates/classes/debug # Update based on your project's build output # Exclude patterns sonar.exclusions=**/test/**,**/build/** # Exclude test and build directories # Include patterns (optional) sonar.inclusions=**/*.java # Include only Java files for analysis (if needed) # Coverage report paths (optional, comment out if unused) # sonar.coverageReportPaths=build/reports/jacoco/testDebugUnitTestReport.xml # Source encoding sonar.sourceEncoding=UTF-8