SonarQube – Static code analysis
SonarQube is an open source platform to perform automatic reviews with static analysis of code to detect bugs, code smells and security vulnerabilities on 25+ programming languages including Java, C#, JavaScript, TypeScript, C/C++, COBOL and more.
The following instructions detail how to install and run the SonarQube code analysis tool on your local machine (windows only).
Install
Note: As a pre-requisite, ensure you have both java & node.js installed on your machine
- Install a local instance of the SonarQube server using the following Docker Image
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest - Install the SonarQube scanner tool
dotnet tool install --global dotnet-sonarscanner --version 5.0.4
Project Setup
- Log into your local SonarQube server by browsing to
http://localhost:9000/
user: admin
password: admin - Update your password
- Click the Create new project button
- Give your project a Project key and a Display name e.g. Test-sample-project
- Click the Set Up button
- Select the ‘Generate a token’ option, give your token a name then click the Generate button, and click Continue
- Take a note of your token as this will be required when you are performing the analysis in the next section
Analysis
Now that SonarQube is installed and the project is setup, the following steps are required each time you want to run analysis on your code.
- From a command window, execute the following commands from the root folder of your project:
dotnet-sonarscanner begin /k:"Test.Sample" /d:sonar.host.url="http://localhost:9000" /d:sonar.login="myAuthenticationToken"
dotnet build
dotnet-sonarscanner end /d:sonar.login="myAuthenticationToken" - Return back to your browser (http://localhost:9000/ ) to view the results of the analysis
Resources