DevSecOps - Kubernetes DevOps & Security

DevSecOps Pipeline

Demo SonarQube

In this guide, you’ll learn how to integrate SonarQube static analysis into a Jenkins pipeline for a Spring Boot application. We’ll cover:

  • Starting SonarQube in Docker
  • Creating and configuring a SonarQube project
  • Running analysis locally with Maven
  • Embedding SonarQube in your Jenkinsfile
  • Enforcing custom quality gates

Prerequisites

  • Docker installed and running
  • Jenkins server with Docker and Pipeline plugins
  • Maven project for your Spring Boot application

Note

Ensure your SonarQube Docker container always listens on port 9000 after VM restarts.

1. Start and Verify SonarQube Container

Run SonarQube in Docker:

docker run -d --name sonarqube -p 9000:9000 sonarqube:latest

Confirm the container is up:

docker ps -a | grep -i sonar
# Expected:
# 5b47910fdc73 sonarqube:latest "bin/run.sh bin/sona…" Up 13 minutes 0.0.0.0:9000->9000/tcp sonarqube

2. Log In and Create a New Project

Open your browser at http://<VM_IP>:9000. Log in with the default admin credentials:

  • Username: admin
  • Password: admin

Warning

Change the default password immediately to secure your SonarQube instance.

Once logged in, click Create new project:

The image shows a SonarQube dashboard with no projects analyzed yet, prompting the user to add a project. The interface includes filters for quality gate, reliability, security, and maintainability metrics.

Fill in the Project key and Display name (e.g., numeric-application), then generate a token (e.g., Jenkins Pipeline):

The image shows a SonarQube interface for creating a new project, with fields for "Project key" and "Display name" being filled out. The browser window displays various tabs and bookmarks.

3. Run Local Analysis with Maven

Select Maven as your build tool. Copy and customize the displayed command:

The image shows a SonarQube dashboard for a project named "numeric-application," with options to run analysis using different build tools like Maven, Gradle, and .NET. A person’s profile picture is visible in the top right corner.

mvn sonar:sonar \
  -Dsonar.projectKey=numeric-application \
  -Dsonar.host.url=http://devsecops-demo.eastus.cloudapp.azure.com:9000 \
  -Dsonar.login=YOUR_SONAR_TOKEN

You can run this locally to verify successful analysis before Jenkins integration.

4. Integrate SonarQube into Jenkins Pipeline

Add a SonarQube stage in your Jenkinsfile after unit and mutation test stages.

StagePurpose
Unit TestsExecute JUnit tests and collect coverage
Mutation TestsRun PIT mutation testing
SonarQube – SASTPerform static code analysis with SonarQube
Docker Build and PushBuild Docker image and push to registry
pipeline {
  agent any
  environment {
    SONAR_TOKEN = credentials('sonar-token')
  }
  stages {
    stage('Unit Tests - JUnit and JaCoCo') {
      steps {
        sh 'mvn test'
      }
      post {
        always {
          junit 'target/surefire-reports/*.xml'
          jacoco execPattern: 'target/jacoco.exec'
        }
      }
    }
    stage('Mutation Tests - PIT') {
      steps {
        sh 'mvn org.pitest:pitest-maven:mutationCoverage'
      }
      post {
        always {
          pitmutation mutationStatsFile: '**/target/pit-reports/**/mutations.xml'
        }
      }
    }
    stage('SonarQube - SAST') {
      steps {
        sh 'mvn clean package -DskipTests=true'
        archiveArtifacts artifacts: 'target/*.jar', fingerprint: true
        sh """
          mvn sonar:sonar \
            -Dsonar.projectKey=numeric-application \
            -Dsonar.host.url=http://devsecops-demo.eastus.cloudapp.azure.com:9000 \
            -Dsonar.login=${SONAR_TOKEN}
        """
      }
    }
    stage('Docker Build and Push') {
      steps {
        withDockerRegistry([credentialsId: 'docker-hub', url: '']) {
          sh 'docker build -t siddharth67/numeric-app:${GIT_COMMIT} .'
          sh 'docker push siddharth67/numeric-app:${GIT_COMMIT}'
        }
      }
    }
    // Add deployment stages below
  }
}

Commit and push your Jenkinsfile. Jenkins will trigger a build and execute the new SonarQube stage:

The image shows a Jenkins pipeline dashboard with a stage view of a build process, including stages like "Checkout SCM," "Build Artifact," and "Unit Tests." There are graphs for test results and code coverage trends, and a sidebar with build history.

5. Review Analysis Results in SonarQube

After pipeline completion, go back to SonarQube to inspect metrics and quality gate status:

The image shows a SonarQube dashboard with a "Passed" quality gate status, indicating no bugs, vulnerabilities, or security hotspots, and displaying code metrics like coverage and code smells.

Click Code Smells to explore issues such as unused imports:

The image shows a SonarQube dashboard displaying a list of code issues, specifically "Code Smells," with details such as severity, type, and suggested actions. The interface includes filters and navigation options on the left side.

6. Enforce Custom Quality Gates

Navigate to Quality Gates to define or modify pass/fail criteria:

The image shows a SonarQube Quality Gates interface with conditions for code quality metrics like coverage, duplicated lines, and ratings. It also includes a browser window with tabs and a user profile picture.

Create a new gate (e.g., Custom Quality Gate), set it as default, and add conditions:

  • Overall code smells ≤ 12
  • Overall coverage ≥ 60%

The image shows a SonarQube interface displaying a custom quality gate with conditions for code metrics, such as "Code Smells" and "Condition Coverage." The interface includes options to edit or delete these conditions.

Rerun the pipeline. Initially, you may still see Passed—the first condition applies to new code only:

The image shows a SonarQube dashboard with a "Passed" quality gate status, indicating no bugs, vulnerabilities, or security hotspots, but 14 code smells.

Adjust the code-smells condition to Overall code smells > 12:

The image shows a SonarQube interface displaying a custom quality gate with conditions on new and overall code, including metrics for code smells and condition coverage. The interface includes options to edit or delete these conditions.

Run the pipeline again. Once SonarQube processes the report, the gate will Fail due to excessive code smells:

The image shows a SonarQube dashboard with a "Failed" quality gate status due to code smells exceeding the threshold. It displays metrics for new code, including no new bugs, vulnerabilities, or security hotspots.

Note

By default, Jenkins does not fail the build on a failed quality gate. To enforce build failure, install the Quality Gate Plugin or poll the SonarQube REST API in your pipeline.


References

Watch Video

Watch video content

Previous
SonarQube SAST