Improving code quality

What is this approach?

SonarQube helps you improve code quality incrementally by focusing on the code you're actively writing and changing. Rather than tackling an entire legacy codebase at once, you focus on maintaining high standards in the Defining new code you're working on today. SonarQube gives you the tools to set those standards and verify that your code meets them.

Focus on new code

Your focus is always on Defining new code — code that has been added or changed according to your new code definition — and making sure the code you write today is production-ready and secure.

The Defining new code can be set at different levels (global, project, and, starting in Developer Edition, at the branch level). Depending on the level at which your new code definition is set, you can change the starting point to fit your situation.

For more information on setting your new code definition, check out Defining new code.

Developer ownership

You aren't responsible for fixing every issue in the entire codebase. You own the quality and security of the new code you are working on today. If you add new issues, SonarQube automatically assigns them to you so you can maintain the quality of your code.

For more information on issues and how they are assigned, check out the Issues page.

Quality gate

Your Quality gates is a set of conditions that tells you whether or not your project is ready for release. To get the most value from focusing on new code, your quality gate should:

• Focus on new code metrics – When your quality gate is set to focus on new code metrics (like the built-in Sonar way quality gate), new features will be delivered at a consistently high standard. As long as your quality gate is green, your releases will continue to improve.

• Set and enforce high standards – When standards are set and enforced on new code, you aren't burdened by having to remediate someone else's old code. You can take pride in meeting high standards in your code. If a project doesn't meet these standards, it won't pass the quality gate and is not ready to be released.

• Be a reliable measure of code quality – A consistently passing quality gate gives you a clear, trustworthy signal that developers are maintaining high standards on all new code.

For more information on quality gates, check out the Quality gates page.

Recommended quality gate conditions

A quality gate focused on new code helps you deliver production-ready code incrementally. The following conditions are recommended:

• No new bugs are introduced

• No new vulnerabilities are introduced

• All new security hotspots are reviewed

• New code has limited technical debt

• New code has limited duplication

• New code is properly covered by tests

For more information, see Quality gates.

Pull request analysis

You can use pull request analysis and pull request decoration to make sure that your code meets your standards before merging. Pull request analysis lets you see your pull request's quality gate in the SonarQube UI. You can then decorate your pull requests with SonarQube issues directly in your DevOps platform's interface.

For more information on setting up pull request analysis and pull request decoration, see the documentation on Pull request analysis.

Potential drawbacks of stricter quality gates

The recommended quality gate is designed to maintain high code quality standards with the least amount of friction in the development process. Adding more conditions may lead to bottlenecks in the pace of development with minimal benefit. You also run the risk of an ignored quality gate because frequent failures may cause a debate on which conditions to prioritize.

Adding conditions on overall code will also shift developer attention away from new code toward old code, making it harder for developers to take ownership of the work they're doing today.