Open in app

Sign in

Write

Sign in

Install SonarQube in Kubernetes and Integrate it with Azure DevOps (Part2)

Mr DevOps 🐳 ☸ ☁️ 🌐
5 min readMar 26, 2021

Set up SonarQube in Kubernetes and integrate it with Azure DevOps pipelines.

Table of contents

  1. Introduction
  2. Install SonarQube extension
  3. Configure the SonarQube extension
  4. Create a service connection
  5. Add code scan steps to CI pipeline
  6. Prepare analysis configuration (SonarQube plugin)
  7. Run code analysis (SonarQube plugin)
  8. Publish Quality Gate Result (SonarQube plugin)
  9. Create a pipeline quality gate
  10. Conclusion

1-Introduction

Hello everyone! In this article we will complete the second part of the implementation of SonarQube with Kubernetes and Azure DevOps.

2.Install SonarQube extension.

The azure DevOps marketplace provides SonarQube extension to makes it very easy to integrate SonarQube code quality and security scanning for your code base.

For more information of sonar scanner for Azure devops please visit official SonarQube website below:

https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-azure-devops/

Now that we already have SonarQube installed in our AKS cluster (we can expose it over the internet by changing the service type to LoadBalancer or use an Ingress resource ).

Let’s see how to use azure DevOps to scan our codes as part of our CI pipeline.

We will download the extension from the official website of azure market place.

Link:https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarqube

3.Configure the SonarQube extension

In Azure devops you need to follow the below sequences:

1-Go to Project Settings.

2-Choose service connections (once you have the SonarQube extension properly added from the market place you will be able to see the SonarQube option in the New service connection ).

3-Choose SonarQube service connection.

4-Configure the service connection.

Note:

1-For server Url , please change it to the Url of your SonarQube server.

2-You need to generate token in SonarQube portal by navigating to sonarqube > security > Generate token. Keep a note of that token.

Once done , create a project in SonarQube portal and give it a name , then SonarQube will generate a Project name and Project key , fill the extension with this name and key.

5.Add code scan steps to CI pipeline

SonarQube extension is composed of the 3 below extension.All of it should be part of the scan.

6.Prepare analysis configuration

It is an initialization of SonarQube in your CI pipeline.

Add your endpoint that we configure it earlier and configure the rest based on your project.

Choose your way of running the analysis based on your project (MSBuild,Maven…),If other than that (NodeJs,Python,…),choose “Standalone scanner”.

Above is using the plugin and below we are using the yaml, but they are the same.

7. Run code analysis

As we decided to switch to yaml as we will need to write a script to make the pipeline fail when the scan fail.

We can use the plugin configuration like the previous plugin but again , it is the same.

8.Publish Quality Gate Result

The last and final step is to publish the result of the scan and quality Gate. This step ensures the result of the code scan is displayed as summary in the build result page. Of course this step is not mandatory, even if you don’t add this step you will be able to view the code scan result in SonarQube dashboard in the SonarQube server. But if you want it to be displayed as part of the build summary, the below step needs to be added in the pipeline.

So at the end, the full SonarQube scan part of the yaml file will look like below:

9. Create a pipeline quality gate

We want to create a script to fail the pipeline if the scan fail in SonarQube server, or succeed if the scan is successful.

a. Change the username and your password based on yours (better to use variables but we put here to make it easy to understand)

b. Change projectKey to your own project key name.

c. Create your own quality gate and quality profile for your project ( in this document we are using the sonarway default quality gate).

d. Run your pipeline. If your code has been successfully scanned and satisfied the conditions on the Quality Gate, your pipeline would succeed , otherwise your pipeline would fail because of our script.

e. Check your SonarQube portal to see the results of the SAST scan.

10. Conclusion

Now we have set up our SonarQube inside kubernetes and we made sure it is running perfectly then we created our pipeline in Azure DevOps and integrate SonarQube SAST scan to it we have the fully SAST scan for your project.

If you missed Part1 , please click here.

If you find this article helpful , please share it on your LinkedIn and tag my name.

DevOps
Sonarqube
Azure Devops
Kubernetes
Kubectl

--

--

Mr DevOps 🐳 ☸ ☁️ 🌐

Written by Mr DevOps 🐳 ☸ ☁️ 🌐

701 Followers

Follow me here for daily publication : https://www.linkedin.com/company/devopstreet

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams