DEV Community

Yehanny Olivares
Yehanny Olivares

Posted on • Edited on

Docker Compose - Sonarqube / Sonar Scanner CLI / GITHUB

Sonarqube is an open source platform for continuous inspection of code quality.

Table of contents

Introduction
Installation
Support
Optional
License

Introduction

Sonarqube is an open source platform for continuous inspection of code quality. The platform can be used to perform automatic reviews with static analysis of code to detect bugs, code smells and security vulnerabilities on 20+ programming languages including Java, C#, JavaScript, TypeScript, C/C++, COBOL and more. SonarQube is the only product on the market that supports a leak approach as a practice to code quality.

Installation

You can copy all the files inside this repository in your project, also you'll need https://www.docker.com/ and https://docs.docker.com/compose/ to run the commands inside your local environment

SonarQube + Postgres DB

Copy the .env.example to .env inside the repository

Run first the sonarqube + db services. SonarQube server will take some minutes to deploy and we can't run the Sonar Scanner until this first task is done, we also need to setup our project and if we're using for example GitHub we'll need to:

GitHub App Setup

Create a GitHub App from Settings > Developer Settings > GitHub App to get our API Credentials, Secret and Private Key

Install that new App for a single or multiple repositories to connect to it.

Setup your Repository Permissions:

Checks: Read and Write
Commit statuses: Read
Metadata: Read
Pull requests: Read and Write

Save and next copy your credentials because we're going to need it for the next step

App ID:
Client ID:
Client secrets:
Private key:

Now it's time to deploy our SonarQube instance, run:

$ docker compose up -d sonarqube db

Then double check both services are mounted and running, and you should see something like this

$ docker ps

NAME COMMAND SERVICE STATUS PORTS postgresql "docker-entrypoint.s…" db running 5432/tcpsonarqube "/opt/sonarqube/bin/…" sonarqube running 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp

Go to your SonarQube server http://localhost:9000 and login with the default credentials. User: admin Pass: admin and then change them to your custom password, save and go to > Projects and select GitHub and use your App credentials that we created before to fill the form

Running the Sonar Scanner

Setup your .env Variables with the one that SonarQube just created for us

SONAR_LOGIN=
SONAR_PROJECT_KEY=
SONAR_SOURCES=

Now it's time to run our first test using this command

$ docker compose up sonar-scanner-cli

Wait for the test to finnish and go to http://localhost:9000 to see your results! Isn't that awesome? Happy Testing

Optional

vm.maxmapcount Issue

You may have vm.maxmapcount size issue and for that I've created a bash file to solve it add execute permissions to the file sonarqube-init.sh

On Linux

chmod +x sonarqube-init.sh

On MacOS and Windows

chmod 755 sonarqube-init.sh

Then run it: ./sonarqube-init.sh

SonarQube Properties file

You can setup the properties of your project using the sonar-project.properties file

must be unique in a given SonarQube instance
sonar.projectKey=sample

--- optional properties ---

//defaults to project key
sonar.projectName=My project
//defaults to 'not provided'
sonar.projectVersion=1.0.0

Path is relative to the sonar-project.properties file. //Defaults to .
sonar.sources=.

Encoding of the source code. Default is default system encoding
sonar.sourceEncoding=UTF-8

Support

Don't hesitate to comment if you have any issue, and I'll help you for sure to solve it, I'm 24/7 in my email

If you want to support this effort and time on doing this I'll be so grateful with you (And with God) You can https://www.buymeacoffee.com/yehanny

GitHub Repo

https://cpmlink.net/9R-GAQ

Top comments (1)

Collapse
 
codericko profile image
Fredrick Chew

Probably I should also write my own blog... for those who does not feel comfy in send code to a 3rd party SonarCloud but still want to have a airgapped solution. Check out sonarless It has a cli for local scan + works in GitHub Action too. Essentially, it automates SonarQube install, setup and scanning on your local machine