SonarQube
SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities. (source)
Seven Axes of Quality¶
SonarQube measures the internal quality of the code rather than the functional working application. Using the Seven Axes of Quality, SonarQube uses the follow dimensions to analyze code on a grading scale:
- Coding standards - respect coding standards and follow best practices
- Potential bugs - eliminate code violations to prevent vulnerabilities
- Documentation and comments — provide documentation especially for the Public API, the source code
- Duplicated code — isolates and refines duplications
- Complexity — equalizes disproportionate distributed complexity among components; eliminates complexity if possible
- Test coverage — writes unit tests, especially for complex parts of the software
- Design and architecture — minimize dependencies
Computer as a peer reviewer¶
Helpful for Developers As SonarQube helps improve the code quality of the application, it also helps the coding practices of developers. It acts as a peer reviewer and mentor to developers by providing feedback on coding standards and best practices.
Helpful for Management. Technical debt is invisible in most of the organizations, and can provide helpful information for business and financial decisions. When management understands the current state of the code, they can have a better understanding of how to address technical debt.
Profiles & Rules¶
Out of the box, SonarQube has preset templates for various programming languages. Although additional rules can be applied across and organization, line of business, or team, most will simply adopt the standards they provide.
Gating¶
As SonarQube scans code with each build in the pipeline scans code, a graded rating will result in a pass or fail. Failures are easily identified, with codelines, issues, suggestions, and estimated effort provided. Based on the setup within the pipeline, failing grades may fail a build, or it may allow you to continue in CI with limitations on deployments.
Often as teams onboard to the pipeline, quality gates and thresholds can gradually increase.