SonarQube analysis overview
With SonarQube, you can analyze your project’s main branch. Starting in the Developer Edition, you can analyze multiple branches and pull requests.
Code analysis with the SonarScanner
The SonarScanner performs the source code analysis. This stand-alone program runs on the CI/CD host and sends the analysis results to the SonarQube server, which computes them, calculates the quality gate, and generates reports.
To perform the analysis, the SonarScanner uses the language analyzers that it downloads from the SonarQube server at installation.
The Sonar Solution offers SonarScanners that integrate with the following build systems: Gradle, Maven, .NET, NPM, and Python. For other project types, the SonarScanner CLI which requires more manual configuration is used.
Analysis process
The main steps of the analysis process are:
- Your build or CI pipeline starts the SonarScanner.
- The SonarScanner scans the local repository and determines the files to be analyzed according to the configured analysis scope.
- The scanner sends an analysis request to the respective language analyzer which retrieves the files to be analyzed from the file system and analyzes them according to the configured quality profile.
- The analyzer sends the analysis results (quality measures and issues) to the scanner which forwards them to the SonarQube Server in the form of a report.
- The SonarQube Server computes the analysis results asynchronously. It performs the following:
- It identifies the new issues according to the configured New Code definition and raises them in both the new code and the overall code (It uploads the code as part of the analysis and shows users the code that it raised issues on. Unanalyzed changes in the code are not visible.).
- It computes the quality gate.
- It generates reports.
By default, only files that are recognized by your edition of SonarQube are loaded into the project during analysis. For example, if you're using SonarQube Community Edition, which includes analysis of Java and JavaScript, but not C++, all .java and .js files would be loaded, but .cpp files would be ignored.
Integration into your CI pipeline
By integrating the SonarQube analysis into your CI pipeline, you can use the following analysis features for your projects: main branch analysis, and, starting in Developer Edition, pull request analysis and multiple branch analysis.
The relevant CI pipeline steps with SonarQube integration are:
- A developer pushes changes on a branch to the remote repository.
- A CI pipeline is triggered for the specific branch. For this purpose, webhooks may be used when events occur in the Source Control Management (SCM) system or the repository may be monitored by a CI/CD tool like Jenkins.
- The pipeline clones the remote repository and checks out the relevant branch to the local repository on the CI/CD host (The code and SCM metadata are copied.).
- In the case of a compiled programming language, the pipeline builds the code.
- The pipeline executes the appropriate Sonar Scanner to analyze the code.
- The scanner sends the analysis results to the SonarQube Server which computes them.
- The Server sends the Quality Gate computation result to the CI pipeline (This step is optional.).
- The pipeline continues (if the Quality Gate succeeds) or stops (otherwise).
Related pages
Was this page helpful?