SonarQube

SonarQube is the leading tool for continuous inspection of code quality. It detects bugs, vulnerabilities (SAST), and code smells in over 30 programming languages.

When to Use

Code Quality Gates: "Block the merge if Code Coverage < 80%".
Technical Debt Management: Tracking "Code Smells" and duplication over time.
Vulnerability Detection: Finding SQL Injection, XSS, and hardcoded secrets in source code.

Quick Start (Docker)

docker run -d --name sonarqube -p 9000:9000 sonarqube:lts
# Login: admin/admin at http://localhost:9000

# sonar-project.properties
sonar.projectKey=my-project
sonar.sources=src
sonar.host.url=http://localhost:9000
sonar.login=...

Core Concepts

Quality Gate

A set of conditions the project must meet (e.g., "No new Critical issues", "Coverage on New Code > 80%"). If failed, the CI pipeline fails.

Clean Code

Sonar methodology: Attributes code as being Consistent, Intentional, Adaptable, and Responsible.

SonarLint

IDE extension that runs Sonar rules locally while you type, fixing issues before commit.

Best Practices (2025)

Do:

Focus on "New Code": It's hard to fix 5,000 old issues. Enforce strict gates on New Code to stop the leak.
Use SonarLint: Shift left. Fix it in the IDE.
Integrate with PRs: Decorate Pull Requests (GitHub/GitLab) with comments on specific lines.

Don't:

Don't ignore "Info" or "Minor" smells: They accumulate into a maintenance nightmare.
Don't include generated code: Exclude dist/, build/, and generated clients from the scan.

sonarqube