SonarQube analysis: From local scans to CI/CD Automation

Time to complete icon45 minutes to complete

Overview

With this course you will gain a comprehensive understanding of the SonarQube analysis workflow, moving from local scanner execution to fully automated CI/CD pipeline integrationsThis course prepares you to maintain code quality and security at scale by implementing industry-standard static code analysis practices.


Learning objectives

  • Describe the five-step SonarQube analysis process.

  • Explain the purpose and benefits of automated code review using static code analysis.

  • Implement the SonarScanner executable on development or CI/CD hosts to manage data transmission.

  • Configure analysis parameters and scope to tailor scans to specific project needs.

  • Integrate SonarScanner into automated pipelines to ensure consistent code quality checks.



Key topics

  • Fundamentals of static code analysis and automated code review

  • The five-step logical flow of a SonarQube analysis execution

  • Installation and configuration of SonarScanner CLI for Windows, Linux, and macOS

  • Project configuration using the sonar-project.properties file

  • Management of analysis parameters and hierarchy across Global, Project, and Scanner levels

  • Definition of analysis scope using inclusion and exclusion glob patterns

  • Verification techniques for analysis results using debug logs and the SonarScanner Context

  • Integration of SonarScanner into CI/CD platforms including Azure DevOps, Bitbucket, GitHub Actions, and GitLab



Target audience

This course is designed for software developers, DevOps engineers, and quality assurance professionals who are responsible for maintaining code health and security. It is inferred that you should have a basic familiarity with command-line interfaces and the version control or CI/CD platforms used by your organization.

Prerequisites

  • Access to a SonarQube Cloud or SonarQube Server instance

  • Execute Analysis permissions within your SonarQube project

  • A Scoped Organization Token (for SonarQube Cloud) or a Global/Project Analysis token (for SonarQube Server)

  • A functional Linux, Windows, or Mac development environment

  • Java 21 JRE installed in your environment

  • A project repository cloned into your local environment