The Sonar Integration connects the JFrog Pipelines platform to Sonar for code analysis and write clean code.
This integration is explained using GitHub Integration (to connect pipelines.yml and Source Code to scan for code analysis) and Artifactory Integration or JFrog Platform Access Token Integration (will be deprecated soon) to use custom Docker image with SonarScanner CLI. They are optional and you can use alternative mechanisms that suit your project needs.
The following diagram illustrates the high-level overview of Integrations, Source and Pipeline.
Resources
The Sonar Integration must be used with CodeAnalysis Resource as mentioned in the example below.
The Code Analysis helps in:
Capturing Sonar Scan report.
Capturing Sonar Metrics
Linking Sonar Metrics with a Git Commit via Run, if used with a Git Resource.
- name: maven_app_sonar_report # name of the resource
type: CodeAnalysis # codeAnalysis resource to capture sonar scan report
configuration:
integration: SonarIntegration # name of the Sonar IntegrationCreating Sonar Integration
You can add this integration by following the Managing Pipelines Integrations page steps.
Prerequisites
Sonar Token with the privileges to Browse the project of specified components.
The following table shows the fields to be filled with the appropriate information to complete the Sonar Integration:
Field | Description | ||||
|---|---|---|---|---|---|
Name | Enter a friendly name for the integration | ||||
Integration Type | Select Sonar from the drop-down. | ||||
Provider | In the Sonar Integration, Pipelines supports the following providers: Select the provider from the drop-down as per your choice. | ||||
URL | Enter the URL based on the selection of the provider. NoteIf you chose SonarCloud as a Provider, the URL is auto-populated. For Enterprise and Community editions provide the appropriate URL.
| ||||
Sonar Token | Enter the Token. NoteThis token must have privileges to Browse the project of specified components. |
Example
resources:
- name: maven_app # name of the resource
type: GitRepo
configuration:
path: jfrog/jfrog-pipelines
gitProvider: GitHubIntegration
branches:
include: main
- name: maven_app_pr1 # name of the resource
type: GitRepo
configuration:
path: jfrog/jfrog-pipelines
gitProvider: GitHubIntegration # name of the GitHub Integration
buildOn:
commit: false
pullRequestCreate: true
- name: maven_app_sonar_report # name of the resource
type: CodeAnalysis # codeAnalysis resource to capture sonar scan report
configuration:
integration: SonarIntegration # name of the Sonar Integration
pipelines:
- name: sonar_integration_pipeline
configuration:
jfrogCliVersion: 2
steps:
- name: scan # name of the step
type: Bash
configuration:
inputResources:
- name: maven_app
outputResources:
- name: maven_app_sonar_report
integrations:
- name: myArtifactory # name of the Artifactory Integration
runtime:
type: image
image:
custom:
registry: myArtifactory # name of the Artifactory Integration
sourceRepository: example-docker-local
name: pipelines.jfrog.io/example-docker-local/sonar-scanner
tag: latest
execution:
onExecute:
- task: jfrog/sonar@v1.0.0
input:
codeResourceName: maven_app_sonar_report
gitResourceName: maven_app
projectFolder: simple-java-maven-app-master # path of the app to scan
gitBranch: main
orgName: jfrogsonarcodeanalysis # name of the sonar organization
projectKey: jfrogsonarcodeanalysis_mavenapp # name of the sonar project key
- name: scan_pr # name of the step
type: Bash
configuration:
inputResources:
- name: maven_app_pr1
outputResources:
- name: maven_app_sonar_report
integrations:
- name: myArtifactory
runtime:
type: image
image:
custom:
registry: myArtifactory
sourceRepository: example-docker-local
name: pipelines.jfrog.io/example-docker-local/sonar-scanner
tag: latest
execution:
onExecute:
- task: jfrog/sonar@v1.0.0 # name of the task > sonar task
input:
codeResourceName: maven_app_sonar_report
gitResourceName: maven_app_pr1
projectFolder: simple-java-maven-app-master
gitBranch: main
orgName: jfrogsonarcodeanalysis
projectKey: jfrogsonarcodeanalysis_mavenapp
extraSonarOptions: "-Dsonar.pullrequest.key=$res_maven_app_pr1_pullRequestNumber -Dsonar.pullrequest.branch=$res_maven_app_pr1_headCommitRef -Dsonar.pullrequest.base=$res_maven_app_pr1_pullRequestBaseBranch"Note
orgName and projectkey can be found here from the Sonar Application.
References
Following are the references to learn more about the Sonar Integration:
Sonar Task and search for jfrog/sonar task.
View SonarQube Results
After successful run of the pipeline, navigate to the Pipelines > MyPipelines > Your Pipeline > Run > Code.
Here you can view overview of the sonar report. To learn more, click See more. It takes you to the Sonar Application.
View Code Insights
After successful run of the pipelines, you can also view insights of the code coverage and tests. To learn more, refer to CodeAnalysis Insights.