CODE QUALITY: SONARQUBE
Introduction
SonarQube is a powerful static code analysis tool that helps developers maintain code quality, security, and best practices. It supports multiple programming languages and integrates well with CI/CD pipelines.
This guide walks you through installing SonarQube locally, running your first analysis on an open-source repository, reading the results, and setting up CI automation.
Step 1: Install SonarQube on Your Desktop
Why: SonarQube runs as a local server providing a web UI to view analysis results.
System Requirements
- Java 17+ (LTS recommended)
- 2 GB RAM+ (4 GB recommended)
- Database: embedded H2 (for evaluation) or PostgreSQL/MySQL (prefer PostgreSQL for production)
- Internet connection for dependencies
1.1 Download & Extract SonarQube
- Go to the SonarQube downloads page and get the latest LTS.
- Extract the archive:
tar -xvzf sonarqube-*.zip # Linux/macOS
unzip sonarqube-*.zip # Windows (WinRAR/7zip also fine)1.2 Install Java 17+ (if needed)
sdk install java 17.0.7-temchoco install openjdk17java -version1.3 Start SonarQube
Linux/macOS
cd sonarqube-*/bin/linux-x86-64./sonar.sh startWindows
cd sonarqube-*/bin/windows-x86-64StartSonar.bat1.4 Access the Dashboard
Open http://localhost:9000. Default credentials: admin/admin (change immediately).
Security tip: Change the default password after first login.
Step 2: Install and Configure SonarScanner
SonarScanner collects project data and ships it to your SonarQube server.
2.1 Download SonarScanner
tar -xvzf sonar-scanner-*.zip # Linux/macOS
unzip sonar-scanner-*.zip # Windows2.2 Add to PATH
export PATH=$PATH:/path/to/sonar-scanner/binAdd the line above to your shell rc (~/.bashrc/~/.zshrc) to persist.
- Windows: add
C:\path\to\sonar-scanner\binto System PATH.
sonar-scanner -hStep 3: Analyze an Open-Source Code Repository
We’ll analyze a public project to see real results.
3.1 Clone a Repository
Example: Spring PetClinic
git clone https://github.com/spring-projects/spring-petclinic.git
cd spring-petclinic3.2 Create a SonarQube Project
- In SonarQube: Projects → Create Project → Manually.
- Set a unique Project Key and Name.
- Generate and save a Token for the scanner.
3.3 Configure SonarScanner
Create sonar-project.properties in the repo root:
sonar.projectKey=spring-petclinic
sonar.projectName=Spring PetClinic
sonar.projectVersion=1.0
sonar.sources=src
sonar.language=java
sonar.sourceEncoding=UTF-8
sonar.host.url=http://localhost:9000
sonar.login=<YOUR_SONARQUBE_TOKEN>3.4 Run the Scan
sonar-scannerTroubleshooting: check console output and SonarQube logs (sonarqube/logs) for errors (paths, network, permissions).
Step 4: Review Code Quality Reports
- Open http://localhost:9000 → your project.
- Explore Code Smells, Bugs, Vulnerabilities, Duplications, Coverage, Technical Debt.
- Click issues for remediation guidance.
Quality Gates determine pass/fail based on thresholds (customize to your standards).
Step 5: Automating Analysis with GitHub Actions
Run SonarQube on every push/PR.
- Add
.github/workflows/sonarqube.yml:
name: SonarQube Analysis
on:
push:
branches: [ main ]
jobs:
sonarqube:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
- name: Install SonarScanner
run: |
curl -sSLo sonar-scanner-cli.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.zip
unzip sonar-scanner-cli.zip
- name: Run SonarScanner
run: |
sonar-scanner \
-Dsonar.projectKey=spring-petclinic \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.login=${{ secrets.SONAR_TOKEN }}- In GitHub repo → Settings → Secrets and variables → Actions → add
SONAR_TOKEN. - Push to trigger workflow.
Conclusion
You’ve installed SonarQube, scanned a real project, understood the results, and wired up CI. These practices reduce technical debt, improve maintainability, and strengthen security.