Basic principles of SonarQube analysis
For an introduction to SonarQube analysis solution, consider the analysis main steps and the concept definitions below.
The SonarQube code analysis process unfolds as follows:
Commit and trigger: A developer commits changes to their repository, which triggers the Continuous Integration (CI) pipeline.
Analysis start: The CI pipeline initiates the code analysis.
Scanning and setup: The SonarScanner scans the repository. It uses the analysis parameters configured for the bound SonarQube project to determine the code to be analyzed. It then instructs the language analyzer(s) to perform their analyses.
Analysis execution: Each analyzer executes its analysis based on the configured language-specific quality profile, which is a set of defined rules. The analyzer sends the results (issues and measures) back to the SonarScanner, which forwards this information to SonarQube.
Result processing: SonarQube processes the analysis results, distinguishing between new code and overall code.
It identifies, assigns, and surfaces new issues within the uploaded code. (SonarQube uploads the code during analysis to show users where issues are raised; unanalyzed changes are not visible.)
It calculates metrics and determines the quality gate status.
It generates reports.
Review and fix: Developers can review the raised issues in SonarQube. Using connected mode, they have the option to fix these issues directly within their Integrated Development Environment (IDE).
SonarScanner
Stand-alone program running on the CI/CD host that orchestrates the code analysis. It scans the code to retrieve the files to be analyzed according to the configured analysis parameters, sends these files to the analyzers for analysis; sends the analysis results to SonarQube.
The Sonar Solution offers SonarScanners that integrate with the following build systems: Gradle, Maven, .NET, NPM, and Python. For other project types, the SonarScanner CLI which requires more manual configuration is used.
To learn more, see SonarScanner for Maven, SonarScanner for Gradle, SonarScanner for .NET, SonarScanner for NPM, SonarScanner for Python, SonarScanner CLI.
Analysis parameters
Parameters processed by the SonarScanner to manage the code analysis.
To learn more, see Configuration overview.
Project
Analyzing code with SonarQube involves creating a project in SonarQube. A project corresponds to a repository on your DevOps platform.
To learn more, see Organization's projects.
Language analyzer
Program running on the CI/CD host that executes code analysis. An analyzer is specific to a language or language family.
To learn more, see Supported languages.
Quality profile
A quality profile defines the set of rules to be applied by a given language analyzer during code analysis.
To learn more, see Understanding quality profiles.
Rule
Coding rules define how code should be written, formatted, and organized to ensure security, reliability, and maintainability.
To learn more, see SonarQube rules.
Issue
When a rule is broken, an issue is raised.
To learn more, see Issue identification and assignment by SonarQube.
New code
New code is code that you’ve recently added or modified. It is identified based on the New Code Definition.
SonarQube differentiates the analysis results on new code from overall code (overall code includes new and old code) to allow focusing your efforts on new code.
To learn more, see Focus on new code.
New Code Definition
The New Code Definition tells SonarQube which part of the code is considered new during analysis. It can be configured at the global, project, or branch level and several definition options are available.
To learn more, see New code definitions.
Quality gate
A quality gate consists of a set of conditions against which the code is measured during analysis. A condition is defined on either new code or overall code. Depending on the result, the code will pass or fail the quality gate, giving developers indications on whether to fix issues or merge the code.
To learn more, see Understanding quality gates.
Metric
Quantitative, measurable indicators used by SonarQube Cloud to assess the quality, complexity, and security of your code.
To learn more, see Understanding measures and metrics.
Connected mode
Connected mode binds your SonarQube (Cloud, Server) or SonarQube Community Build project to your IDE project through SonarQube for IDE. This way, issues detected by SonarQube (Cloud, Server) or SonarQube Community Build are also raised in your IDE.
To learn more, see SonarQube for IDE.
Related pages
Last updated
Was this helpful?