AWS/Azure/OpenShift/Kubernetes

Using SonarCloud: How to Integrate SonarCloud with Azure DevOps Pipeline

sonarcloud

SonarCloud is an application that you can use to build robust and safe applications. With this application, you can use it to rapidly assess your code health to know where your code stands at every level of the software development life cycle (SDLC). This is an application that you can use to build clean code, detect bugs, vulnerability and fix issues in your code very early in your SDLC and thereby make your customers happy. This is an application that meets every security standard and can be used to protect your data from getting exposed to a malicious user. This application can help analyze your code and can be integrated into the Azure DevOps pipeline. All you need is to push your code to the designated repo and set up your pipeline and start analyzing your code while building it before deployment to either the staging environment or production environment. SonarCloud stands out in terms of accuracy, it does not waste useful time on false positives but will always help you find the real issue for you to fix.

In this guide we will learn how to integrate Azure DevOps Services with SonarCloud:
- We will set up an Azure DevOps project and CI/CD Pipeline to integrate with SonarCloud.
- We will Analyze SonarCloud reports

You need:

  1. A Microsoft account to log in to Azure DevOps.
  2. Create an Azure DevOps organization
  3. Create a new Azure DevOps project.

First login into your Microsoft account and continue to Azure DevOps (dev.azure.com).

Capture
Trying to Login to Azure DevOps

Create your Azure DevOps Organization. In this guide, we are creating techdirectarchive as the Azure DevOps organization.

azuredev
Giving your Azure DevOps Organization a name

If your plan is to sign up for a paid plan with SonarCloud (see below), make sure that you set your Azure DevOps project to private. If your plan is not to sign up for a paid plan then select public. If your project is open source you can select public but if your code is intellectual property then the option of a paid plan and making your project private is the best.

In this project, we will be using the public.

Azure_Proj
Getting a Project name and selecting a visibility plan

You can either import your repository from Github or from any other Repo. You can as well push your code from your local computer to Azure Repo.
– Select Repos in your project overview:

repo
your Project Overview page
repo2
your Repository initiation

Follow the below steps if you are importing your repository from Github:
– Login to your Github where you have your repository and copy the URL

github
your GitHub Repository

Paste the URL on the Clone URL box and click import.

azure_git
Importing a repository from GitHub

Immediately this is done it gets pushed to the Azure DevOps Repo where you can run a build on it.

repo3
Repos Overview
git2
This push your code to Repo

You can also use the Push an existing repository from the command line by opening the application project with an IDE and running the following Git commands on the terminal.

git
This push your code to Repo
push
Pushing your source code from IDE

Next, you will need to install the SonarCloud extension in your Azure DevOps account. Navigate to the SonarCloud Extension via the Visual Studio Marketplace and click Get it free to install it.
– Then Proceed to the organization once the installation is completed.

marketplace
Marketplace Overview
marketplace2
Installing SonarCloud Extension
marketplace1
SonarCloud Extension installed

You can use the same account you used for your Azure DevOps.
– Sign into SonarCloud: https://sonarcloud.io/

sonar
Login to SonarCloud and linking with Azure DevOps
sonar2
Login to SonarCloud and linking with Azure DevOps

Next, you will need to create an organization and within the organization, you will need to create a new Project. Both the organization and project you set up in SonarCloud must have the same name as the organization and project that you set up in Azure DevOps.

organization
Creating an Organization on SonarCloud

Enter or create a Personal Access Token from your Azure DevOps under the User setting.

personal-access-token
Creating a Personal Access Token for your Azure DevOps
personal-access-token2
Creating a Personal Access Token for your Azure DevOps

Once all these are created you will be able to Import organization details from Azure.
– Enter the key you plan to use for your project and click on Continue.

organization2
Creating an Organization on SonarCloud

Choose a plan: you can select a Free Plan that has all projects you analyzed in the public and anyone can browse the source code because it’s not restricted.

The Paid Plan has unlimited private projects and the source code is restricted to public access.
– Click on Create Organization

Plan
Choosing a Free or Paid Plan on SonarCloud

When you click on the Create new project the Analyze projects – Select repositories page will open that has all the organization and Azure DevOps repositories that exist and you can then make your selection.

Then click Set Up and click on Azure DevOps Pipelines. On the next page you can ignore the SonarCloud extension installation if you have earlier installed it.

repo4
Linking your Azure DevOps Repo with SonarCloud

Next, you need to select the stack technology used for your build. This is what you will need to configure the Azure Pipeline.

pipeline2
Selecting your Stack Technology for build

Now you need to create a new pipeline on your Azure DevOps

Follow the below steps on Azure DevOps to initialize your pipeline and link it to your repository.

Add a new SonarCloud Service Endpoint

  1. Go to Project settings > Service connections
  2. Add a new service connection of the type SonarCloud
  3. Use this token: Enter the token that shows here 
  4. Click on Verify to check that everything is linked correctly.
Pipeline3
Creating your first Pipeline
pipeline4
Configuring your Service connections
service-connection
Configuring your Service connections
service-connection2
Configuring your Service connections

On the Create your first Pipeline page clicks on the Create Pipeline button.

Select where your code is situated and use it to create a pipeline or you can use the classic editor to create a pipeline. If your stack technology is .NET Core or ASP.NET Core you can use a .NET Core with SonarCloud as a template that will build your app.

From the drop-down select Azure pipelines as the Agent pool and also select your Agent Specification.

where-is-your-code
Choose your code Pipeline
template
Choose a template for your Pipeline
template1
Configuring your Pipeline

Follow these three steps to analyze your code in the pipeline

1. Prepare Analysis Configuration

  1. Select the SonarCloud endpoint.
  2. Select the SonarCloud organization techdirectarchive 
  3. In Choose the way to run the analysis, select Integrate with MSBuild.
  4. In the Project Key field, enter techdirectarchive_Techdirectarchive_Proj 
  5. In the Project Name field, enter Techdirectarchive_Proj 
  6. Save and Queue
  7. Run

Please ensure this task runs before your build step.     

prepare
Configuring your Pipeline (Prepare analysis on SonarCloud)
run
Configuring your Pipeline (Run Code Analysis)
agent
Pipeline build result

Immediately the Pipeline is run successfully you will get the scan report on the SonarCloud and the needed remediation can be performed and a re-run of the Pipeline can be done after remediation.

sonar3
SonarCloud Report

2. Run Code Analysis

This task needs to run after your build step.

3. Publish Quality Gate Result

This task is not mandatory but will allow you to decorate your Pull Request.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x