SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 27+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities. -- Wikipedia
Setting up your SonarQube services as fragile snowflakes is both common and not a recommended technique. Any developer should be able to quickly start a personal SonarQube service as well as rely on a team's service that matches the same behaviors. The latest SonarQube version, its plugins, and its configurations should also be easily adjustable. Your software development lifecycle processes (SDLC) should embrace the versioned configuration and deployment of SonarQube across a variety of cattle (not pets) targets.
Follow these instructions to set up a personal SonarQube engine and dashboard. With this, you have a strong, static code analysis tool backing your code all before you submit your work for a pull request. Within SonarQube there are plugins such as Checkstyle, PMD and Findbugs. The Findbugs plugin includes rules for vulnerabilities such as the OWASP top 10.
You will learn how:
- to install SonarQube onto Kubernetes
- to use Helm to install SonarQube
- to configure SonarQube plugins with the chart
- to access the SonarQube Dashboard
- to analyze code and inspect results with a Gradle plugin
Most developers who know about static code analysis know about SonarQube. While each language typically has specific linting and code analysis tools, SonarQube offers a unifying tool for many languages and teams. Additionally, SonarQube with its database offers the additional dimension of time to trend your metrics over time.
This tutorial shows how you can easily use Kubernetes as a place to host a highly available server for you and your team.
Lessons Learned
With these steps you have learned how to:
- ✔ install SonarQube onto Kubernetes
- ✔ use Helm to install SonarQube
- ✔ configure SonarQube plugins with the chart
- ✔ access the SonarQube Dashboard
- ✔ analyze code and inspect results with a Gradle plugin
Additional Information
- Visit the No Fluff Just Stuff tour and see this example in action. Code Analysis and Team Culture
- SonarQube integration
- SonarCloud Nemo, SonarQube continuous analysis reporting of many open source projects.
- Helm chart for using SonarQube on Kubernetes
- Intellij's plugin for SonarQube, SonarLint plugin
- Shift left
- Snowflakes
- Cattle not pets
- Checkstyle
- PMD
- Findbugs
- Careful when upgrading SonarQube tag images or its plugins. It can be dependency hell with a complex matrix. If your container is failing it's due to mismatched versions.
For a deeper understanding of these topics and more join
Jonathan Johnson
at various conferences, symposiums, workshops, and meetups.
Software Architectures ★ Speaker ★ Workshop Hosting ★ Kubernetes & Java Specialist
Steps
SonarQube
Your Kubernetes Cluster
For this scenario, Katacoda has just started a fresh Kubernetes cluster for you. Verify that it's ready for your use.
kubectl version --short && \
kubectl get componentstatus && \
kubectl get nodes && \
kubectl cluster-info
The Helm package manager used for installing applications on Kubernetes is also available.
helm version --short
Kubernetes Dashboard
You can administer your cluster with the kubectl CLI tool or use the visual Kubernetes Dashboard. Use this script to access the protected Dashboard.
token.sh
