DevSecOps - Kubernetes DevOps & Security
DevSecOps Pipeline
Demo SonarQube Quality Gate
In this tutorial, we’ll show you how to integrate SonarQube quality gates into a Jenkins pipeline so that builds automatically pass or fail based on code quality metrics. We’ll use the SonarQube Scanner for Jenkins plugin to pause the pipeline for code analysis and enforce the gate status before proceeding.
Key Benefits
- Enforces coding standards automatically
- Fails builds on critical issues
- Provides real-time feedback on code smells, bugs, and vulnerabilities
Prerequisites
Requirement | Details |
---|---|
SonarQube Scanner for Jenkins (v2.13.1+) | Installed via Manage Plugins |
SonarQube instance | Accessible URL (Community, Developer, or Enterprise edition) |
Jenkins webhook | Configured in SonarQube Administration → Webhooks |
Jenkins credentials | SonarQube auth token added as a Secret Text credential |
Note
Ensure you have administrative access in both Jenkins and SonarQube to configure plugins, credentials, and webhooks.
1. Verify SonarQube Scanner Plugin
In Jenkins, navigate to Manage Jenkins → Manage Plugins, then open the Installed tab to confirm:
If it’s missing, install SonarQube Scanner for Jenkins from the Available tab and restart Jenkins.
2. Configure SonarQube Server in Jenkins
- In your SonarQube user profile, generate an authentication token.
- In Jenkins, go to Credentials → System → Global credentials and add a new Secret Text credential with your token:
Still under Manage Jenkins → Configure System, scroll to SonarQube servers and add:
- Name: SonarQube
- Server URL:
https://<your-sonarqube-host>
- Server authentication token: Select your Secret Text credential
You can now review existing project gates in SonarQube. Here’s an example of a failed gate due to excessive code smells:
3. Add SonarQube Webhook
In SonarQube, go to Administration → Configuration → Webhooks:
- Name: Jenkins webhook
- URL:
https://<your-jenkins-host>/sonarqube-webhook/
- (Optional) Secret if you want to secure payloads
Save and verify it appears in the list:
4. Create Declarative Jenkins Pipeline
Place the following Jenkinsfile at the root of your repository. It:
- Checks out source code
- Runs Maven build & SonarQube analysis
- Waits for the quality gate result (
abortPipeline: true
stops the build on failure) - Builds and pushes a Docker image
pipeline {
agent any
stages {
stage('Checkout SCM') {
steps {
git url: 'https://github.com/foo/bar.git'
}
}
stage('Build & Analyze') {
steps {
withSonarQubeEnv('SonarQube') {
withMaven(maven: 'Maven 3.5') {
sh 'mvn clean package sonar:sonar'
}
}
}
}
stage('Quality Gate') {
steps {
timeout(time: 1, unit: 'HOURS') {
waitForQualityGate abortPipeline: true
}
}
}
stage('Docker Build & Push') {
steps {
withDockerRegistry([credentialsId: 'docker-hub', url: '']) {
sh 'docker build -t sidharth67/numeric-app:${GIT_COMMIT} .'
sh 'docker push sidharth67/numeric-app:${GIT_COMMIT}'
}
}
}
}
}
Commit and push this file to your Git repo to trigger a new build.
Warning
If the quality gate fails, the pipeline will abort at the Quality Gate stage. Inspect and resolve all reported issues before retrying.
5. Diagnose Quality Gate Failures
When the pipeline fails at the gate, open SonarQube to see detailed issues:
Common findings include unused imports and code smells:
Refactor or remove the offending lines, then commit and push again.
6. Confirm Quality Gate Pass
After addressing issues, trigger a new build. A successful SonarQube analysis will pass the gate:
You can review any remaining non-blocking issues here:
References
Watch Video
Watch video content