Friday, January 15, 2021

How to setup Quality gates in SonarQube | Add SonarQube quality gates to your Jenkins build pipeline

SonarQube is one of the popular static code analysis tools. SonarQube is open-source, Java based tool It also needs database as well - Database can be MySQL, Oracle or PostgreSQL.  We will use PostgreSQL as it is open source as well.  

SonarQube allows you to create quality gate to force the build to fail if some conditions are not met during code analysis.

Please see how to create quality gates in SonarQube:

What we will learn in this lab?

1. Learn how to setup a quality gate in SonarQube

2. How to force the build to fail in Jenkins when quality gate conditions are met?

Quality gates

In SonarQube a quality gate is a set of conditions that must be met in order for a project to be marked as passed.

Let us learn how to create quality gates in SonarQube and integrate with Jenkins during code scan.

Pre-requisites

Login to SonarQube, Click on Quality gate, enter some name

Once you create the quality gate. Click on Add condition. 


Select new bugs from the drop down and enter 1 as error


 Choose your Web App, by clicking on App. and select My WebApp

Setup a Default Gate

Configure webhooks in SonarQube

Click on Administration --> Configuration --> Webhooks

Enter Jenkins URL

Now to go Jenkins, create a pipeline job:

node {

    def mvnHome = tool 'Maven3'
    stage ("checkout")  {
     //enter your repo info
    }

     stage ('Build')  {
        sh "${mvnHome}/bin/mvn -f MyWebApp/pom.xml clean install"
   }
     stage ('Code Quality scan')  {
       withSonarQubeEnv('SonarQube') {
        sh "${mvnHome}/bin/mvn -f MyWebApp/pom.xml sonar:sonar"
        }
   }
   
     stage("Quality Gate") {
        timeout(time: 1, unit: 'HOURS') {
            waitForQualityGate abortPipeline: true
        }
  }       
}

Now you should see the Jenkins console output like this:



No comments:

Post a Comment

How to Configure GitHub Advanced Security for Azure DevOps | How to Perform Security scan for Azure Repos using GitHub Advanced Security

GitHub Advanced Security for Azure DevOps brings the  secret scanning, dependency scanning  and  CodeQL code scanning  solutions already ava...