What is sonarcube and purpose of it ?
Answer
Overview
SonarQube is an open-source platform for continuous code quality inspection. It performs static code analysis to detect bugs, code smells, security vulnerabilities, and technical debt — automatically during every CI/CD pipeline run.
What SonarQube Does
textSource Code → SonarQube Analysis → Quality Report ↓ Detects: • Bugs (logic errors likely to cause failures) • Code Smells (maintainability issues) • Security Vulnerabilities (OWASP checks) • Code Duplication • Test Coverage gaps • Technical Debt estimate
Key Concepts
| Concept | Description |
|---|---|
| Quality Gate | Pass/Fail threshold — blocks deployment if code quality drops below standard |
| Quality Profile | Set of rules applied to code (customizable) |
| Code Smell | Legal code that is hard to maintain (long methods, deep nesting) |
| Technical Debt | Estimated time to fix all issues |
| Coverage | % of code covered by tests |
| Duplication | % of code that is duplicated |
SonarQube in CI/CD (GitHub Actions)
yaml# .github/workflows/sonar.yml name: SonarQube Analysis on: [push, pull_request] jobs: sonarqube: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Analyze with SonarQube uses: SonarSource/sonarqube-scan-action@v2 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} with: args: > -Dsonar.projectKey=my-flutter-app -Dsonar.sources=lib -Dsonar.tests=test -Dsonar.dart.coverage.reportPaths=coverage/lcov.info
SonarLint (IDE Plugin)
SonarLint is the local IDE version of SonarQube — shows issues in real-time while you code:
textVS Code → Extensions → Install SonarLint Android Studio → Preferences → Plugins → SonarLint Highlights: - Red underlines for bugs - Yellow for code smells - Purple for security issues - Shows fix suggestions inline
Quality Gate Example
textQuality Gate: FAILED ❌ New Code: ✅ Coverage >= 80% → 85% PASSED ❌ Bugs = 0 → 3 bugs FAILED ✅ Code Smells < 10 → 7 PASSED ❌ Security Hotspots = 0 → 2 FAILED
SonarQube vs SonarCloud
| SonarQube | SonarCloud | |
|---|---|---|
| Hosting | Self-hosted | Cloud (SaaS) |
| Cost | Free (Community) / Paid | Free for open-source |
| Setup | Requires server | No server needed |
| Integration | Any CI | GitHub, GitLab, Azure |
Purpose: SonarQube acts as a code quality "bouncer" — preventing low-quality code from reaching production by enforcing quality gates in your CI/CD pipeline. It helps teams maintain consistent code standards across large codebases.