In my previous blog post, I’ve outlined the value of SonarQube scans in your development pipeline: Essentially, SonarQube evaluates your code against a set of rules and suggests fixes for the issues found. Integrated into your SAP Continuous Integration and Delivery pipeline, it continuously checks your code’s quality and security, and thereby ensures your applications’ software compliance.
To store the SonarQube token credentials, create a new Secret Text credential in SAP Continuous Integration and Delivery and paste the SONAR_TOKEN environment variable into the Secret field. For more information, see Creating Credentials.
Either save or create your job.
As a result, you now receive a code analysis report on SonarQube with every new build of your job.
Before actually releasing your project, you might want to make sure that its current status meets your expectations. For this purpose, SonarQube lets you define sets of quality and security conditions – so-called quality gates – that must be met before your application is ready for production.
You can configure your SAP Continuous Integration and Delivery pipeline so that it checks the quality gate status and passes or fails accordingly. To do that, add the following line to the sonar-project.properties file in your source repository:
If the quality gate analysis of your project is now successful, the Compliance stage in SAP Continuous Integration and Delivery passes, as well. If it fails, instead, the Compliance stage also fails, and your pipeline doesn’t move on to the Release stage. For more information, see the SonarQube documentation.
SonarQube scans in your CI/CD pipeline help you detect quality and security issues in your code as early as possible. This doesn’t only ensure that you meet your corporate compliance rules and policies, but also saves you valuable time (just think about looking for a needle in a haystack if at the end of your development, some unexpected behavior occurs) and money.