Extend your build pipeline with Sonarcloud - nikkh/maug3010 GitHub Wiki

SonarCloud is an online code analysis service that helps you to manage technical debt. One of DevOps primary objectives is to shift-left, and managing the quality of you code is one thing that will help you to achieve this.

It's a pretty simple matter to add SonarCloud analysis to you fledgling DevOps project. The rest of this page shows you how.

Note: SonarCloud online service can be started for free, but you cant use a Microsoft Account, you'll have to use an Azure Active Directory Account to register on SonarCloud. Once SonarCloud is configured you will generate a token for access from Azure DevOps, which means you wont have problems running your DevOps with a Microsoft account and sonarcloud with a Work or School account (that's actually what I did here).

Create a Free SonarCloud account

Navigate to https://sonarcloud.io/about and click 'Log In'. Select Azure DevOps. This is where you will need to log in with a work or school account. I'm using my microsoft.com email address you could use a work address, or a personal office 365 account. Grant access to your account if an OAuth permissions dialog appears.

When I registered I got a permissions error, but when I refreshed the screen I now have an empty sonarcloud account:

empty sonarcloud account

Click the + sign to the left of the account icon (in this case its the green square in the top right of the screen). From the menu that appears click 'create new organisation'. Enter a key (e.g. maugtest) and click continue. Remember this key. I will refer to it later as your 'SonarCloud Organisation Key). On the next screen select the free plan:

create sonarcloud organisation

Click on the account icon . Choose 'my account' -> security -> enter a token name (maug-devops?) and generate:

generate sonarcloud token

make a note of your token - you wont be able to see it again. I will refer to this as your 'SonarCloud project token' later on.

Add SonarCloud Analysis to your pipeline

Edit your build pipeline in Azure DevOps.

edit build pipeline

Select the + sign alongside the Agent Job to add a new build task. in the add tasks pane to the right search for SonarCloud. When it appears from the Marketplace click install. Click the + button again and search for SonarCloud again. This time you will see available tasks for processing a SonarCloud analysis:

edit build pipeline

Hover over each task in turn and press Add:

  • Prepare Analysis Configuration
  • Run Code Analysis
  • Publish Quality Gate Result

Re-organise your pipeline as follows (you can drag and drop to re-order tasks in the pipeline):

  1. Move the 'Prepare Analysis Configuration' to be the first step in the pipeline.
  2. Move 'Run Code Analysis' to be immediately after the Build task
  3. Move Publish Quality Gate Result to be immediately after 'Run Code Analysis'

Your pipeline should now look similar to mine:

build pipeline tasks added

Notice that the 'Prepare Analysis Configuration' requires further configuration. Click on it and configure SonarCloud:

  1. In the Organisation enter your SonarCloud Organisation Key that you noted earlier
  2. In the project key, enter any valid unique identifier (e.g. maugtest.yourname)
  3. In the Project Name, enter a project name (e.g. maugtest.samplewebapplication)
  4. Click the + button next to SonarCloud Service Endpoint. On the resultant dialog:
  • For connection name, enter any connection name (e.g. maugtestsonarcloud).
  • For SonarCloud token, enter the SonarCloud project token that you noted earlier
  • click verify connection. If the connection is verified click Ok, otherwise check the settings have all been entered correctly.

Next, click 'Save' but do not queue.

This next step shouldn't normally be necessary, but it is, so bear with me. SonarCloud needs a unique reference which it uses as a primary key to the recommendations it generates. To do this it uses a GUID from the visual studio project file (at least it does for Visual Studio projects). The sample application generated by Azure DevOps projects doesn't have a guid included, so the simplest thing is to add it now.

Generate a GUID. You can use <: https://www.guidgenerator.com/online-guid-generator.aspx>. Copy your generated GUID.

Navigate to your Repo, and Application/aspnet-core-dotnet-core and click on aspnet-core-dotnet-core.csproj. Then click edit.

in the element, just below add a new line as follows:

<ProjectGuid>{your_guid_here}</ProjectGuid>

Note: the 'curly braces' surrounding the guid.

Your file should look like this (but with your generated guid):

edit csproj

Click commit. On the confirmation comment, enter 'added guid to csproj' and click 'Commit'. This will kick off a new build. Navigate to your build pipeline and click on the newest build to monitor progress.

Once the build has completed, click on Summary. At the bottom of the page should be a sections for SonarCloud Analysis report, with a Quality Gate Passed. Click on the link below this to the detailed SonarCloud report:

sonarcloud results

That's all. Hopefully this shows how you can shift-left very simply using Azure DevOps and a huge number of extensions available in the marketplace. If there isn't an extension for something you need, you can develop your own (but that's not needed very often).

home