The Sonar Integration connects the JFrog Pipelines platform to Sonar for code analysis and write clean code.
This integration is explained using GitHub Integration (to connect pipelines.yml and Source Code to scan for code analysis) and Artifactory Integration or JFrog Platform Access Token Integration (will be deprecated soon) to use custom Docker image with SonarScanner CLI. They are optional and you can use alternative mechanisms that suit your project needs.
The following diagram illustrates the high-level overview of Integrations, Source and Pipeline.
Resources
The Sonar Integration must be used with CodeAnalysis Resource as mentioned in the example below.
The Code Analysis helps in:
Capturing Sonar Scan report.
Capturing Sonar Metrics
Linking Sonar Metrics with a Git Commit via Run, if used with a Git Resource.
- name: maven_app_sonar_report # name of the resource type: CodeAnalysis # codeAnalysis resource to capture sonar scan report configuration: integration: SonarIntegration # name of the Sonar Integration
Creating Sonar Integration
You can add this integration by following the Managing Pipelines Integrations page steps.
Prerequisites
Sonar Token with the privileges to Browse the project of specified components.
The following table shows the fields to be filled with the appropriate information to complete the Sonar Integration:
Field | Description | ||||
---|---|---|---|---|---|
Name | Enter a friendly name for the integration | ||||
Integration Type | Select Sonar from the drop-down. | ||||
Provider | In the Sonar Integration, Pipelines supports the following providers: Select the provider from the drop-down as per your choice. | ||||
URL | Enter the URL based on the selection of the provider. NoteIf you chose SonarCloud as a Provider, the URL is auto-populated. For Enterprise and Community editions provide the appropriate URL.
| ||||
Sonar Token | Enter the Token. NoteThis token must have privileges to Browse the project of specified components. |
Example
resources: - name: maven_app # name of the resource type: GitRepo configuration: path: jfrog/jfrog-pipelines gitProvider: GitHubIntegration branches: include: main - name: maven_app_pr1 # name of the resource type: GitRepo configuration: path: jfrog/jfrog-pipelines gitProvider: GitHubIntegration # name of the GitHub Integration buildOn: commit: false pullRequestCreate: true - name: maven_app_sonar_report # name of the resource type: CodeAnalysis # codeAnalysis resource to capture sonar scan report configuration: integration: SonarIntegration # name of the Sonar Integration pipelines: - name: sonar_integration_pipeline configuration: jfrogCliVersion: 2 steps: - name: scan # name of the step type: Bash configuration: inputResources: - name: maven_app outputResources: - name: maven_app_sonar_report integrations: - name: myArtifactory # name of the Artifactory Integration runtime: type: image image: custom: registry: myArtifactory # name of the Artifactory Integration sourceRepository: example-docker-local name: pipelines.jfrog.io/example-docker-local/sonar-scanner tag: latest execution: onExecute: - task: jfrog/sonar@v1.0.0 input: codeResourceName: maven_app_sonar_report gitResourceName: maven_app projectFolder: simple-java-maven-app-master # path of the app to scan gitBranch: main orgName: jfrogsonarcodeanalysis # name of the sonar organization projectKey: jfrogsonarcodeanalysis_mavenapp # name of the sonar project key - name: scan_pr # name of the step type: Bash configuration: inputResources: - name: maven_app_pr1 outputResources: - name: maven_app_sonar_report integrations: - name: myArtifactory runtime: type: image image: custom: registry: myArtifactory sourceRepository: example-docker-local name: pipelines.jfrog.io/example-docker-local/sonar-scanner tag: latest execution: onExecute: - task: jfrog/sonar@v1.0.0 # name of the task > sonar task input: codeResourceName: maven_app_sonar_report gitResourceName: maven_app_pr1 projectFolder: simple-java-maven-app-master gitBranch: main orgName: jfrogsonarcodeanalysis projectKey: jfrogsonarcodeanalysis_mavenapp extraSonarOptions: "-Dsonar.pullrequest.key=$res_maven_app_pr1_pullRequestNumber -Dsonar.pullrequest.branch=$res_maven_app_pr1_headCommitRef -Dsonar.pullrequest.base=$res_maven_app_pr1_pullRequestBaseBranch"
Note
orgName
and projectkey
can be found here from the Sonar Application.
References
Following are the references to learn more about the Sonar Integration:
Sonar Task and search for jfrog/sonar task.
View SonarQube Results
After successful run of the pipeline, navigate to the Pipelines > MyPipelines > Your Pipeline > Run > Code.
Here you can view overview of the sonar report. To learn more, click See more. It takes you to the Sonar Application.
View Code Insights
After successful run of the pipelines, you can also view insights of the code coverage and tests. To learn more, refer to CodeAnalysis Insights.