==============================
Sonar Static Code Analysis
=============================

Introduction
-------------

SonarQube is an open source tool used to perform static code analysis on projects. In the context of my application, it runs within my Portainer system and is used when committing a new change. Within the Jenkins pipeline, SonarScanner runs on and scans the changed code. 

Execution
----------

To set this up I added the SonarScanner plugin to my Jenkins pipeline. 

.. image:: https://i.imgur.com/H6pcOOc.png

Since it is a multi-module project, the scan configuration is pretty convoluted. It is momentarily scanning my microservices.

Authorization
---------------

Initially I created a new user in my SonarQube 

.. image:: https://i.imgur.com/z1s8lBi.png

And I appended the user to Ramses project; but sadly, this failed. So instead, I created a new project and yoinked the login key and put it in my own SonarScanner configuration. The result? This worked. 

Result
--------

Due to the setup of the project, all new code will be automatically scanned if the build succeeds from the initial commit. 

.. image:: https://i.imgur.com/OJIsHOk.png

According to the static code analysis, no critical *security* vulnerabilities have been found, however the critical and major bugs can be resolved easily with further iterations.