Introduction

SonarQube is an open source tool used to perform static code analysis on projects. In the context of my application, it runs within my Portainer system and is used when committing a new change. Within the Jenkins pipeline, SonarScanner runs on and scans the changed code.

Execution

To set this up I added the SonarScanner plugin to my Jenkins pipeline.

https://i.imgur.com/H6pcOOc.png

Since it is a multi-module project, the scan configuration is pretty convoluted. It is momentarily scanning my microservices.

Authorization

Initially I created a new user in my SonarQube

https://i.imgur.com/z1s8lBi.png

And I appended the user to Ramses project; but sadly, this failed. So instead, I created a new project and yoinked the login key and put it in my own SonarScanner configuration. The result? This worked.

Result

Due to the setup of the project, all new code will be automatically scanned if the build succeeds from the initial commit.

https://i.imgur.com/OJIsHOk.png

According to the static code analysis, no critical security vulnerabilities have been found, however the critical and major bugs can be resolved easily with further iterations.