In this article, we will add SonarQube to the pre-commit hook in git, to keep a specific level of security and consistency in the code.
What is SonarQube?
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells in 29 programming languages.
Why do we need SonarQube integration?
To help improve the quality of the code by eliminating the bugs, security hotspots, code smells and other issues that may affect the code
How to integrate with SonarQube?
There are several ways, you can add to the CI/CD pipeline, you can add as a pre-commit or pre-push or any git action
How to run SonarQube locally?
The best way I have seen is to add it as a docker image (You can also download it and setup)
The setup through docker-compose can go as following:
version: '3'
services:
psql-free:
image: postgres
container_name: "sonar-psql-free"
restart: always
environment:
- POSTGRES_USER=sonar
- POSTGRES_PASSWORD=Neverdown001
volumes:
- sonarqube-postgresql_data-free:/var/lib/postgresql/data
ports:
- "5440:5432"
sonarqube-free:
image: sonarqube
container_name: "sonar-web-free"
restart: always
environment:
- SONARQUBE_JDBC_USERNAME=sonar
- SONARQUBE_JDBC_PASSWORD=Neverdown001
- SONARQUBE_JDBC_URL=jdbc:postgresql://psql-free:5440/sonar
ports:
- "9010:9000"
volumes:
- sonarqube-conf-free:/opt/sonarqube/conf
- sonarqube-data-free:/opt/sonarqube/data
- sonarqube-extensions-free:/opt/sonarqube/extensions
volumes:
sonarqube-conf-free:
sonarqube-data-free:
sonarqube-extensions-free:
sonarqube-postgresql_data-free:
Note: You can add this as a separate project that contains only this docker-compose file and build it (Recommended) or you can add the sonarqube service to your docker-compose in the project compose file
Downloading Scanner
To work with SonarQube, you have to scan all your project (excluding virtual env and packages). This is done via (Sonar-Scanner)
You can download it from the following link:
https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/
And follow installation (Adding to the path) as mentioned in the site
Once done, we are one step before analyzing our code
Adding property file and running scanner
Make sure the docker is up before that
Go to the following link: http://localhost:9010/
Use the following credentials:
username: admin
password: admin
Choose (Manually)
Add project details
On this page, choose (locally) to make the scanning on your local machine
Put the token name, and choose the expiration for it then press continue
Go to your project directory
and create a new file in the root directory (sonar-project.properties)
inside the project set the following properties
sonar.projectKey=YOUR_PROJECT_KEY (ex: sales_app) sonar.qualitygate.wait=true sonar.python.version=3 sonar.host.url=http://localhost:9010 sonar.login=GENERATED_TOKEN_FROM_STEP_7 sonar.exclusions=**/env/**,**/static/** sonar.sources=.
In your project root directory, run (sonar-scanner)
Once done, the result will be visible on the localhost
Adding SonarQube to git hook (pre-commit)
In your project directory, run the following
sudo chmod +x .git/hooks/pre-commitsudo nano .git/hooks/pre-commit#!/bin/bash export PATH="$PATH:SCANNER_PROJECT_BIN_PATH" sonar-scanner if [ $? -eq 0 ] ; then echo 'SonarQube Passed' exit 0 else echo 'SonarQube Failed' exit 1 fi
Note: You can add this in whatever hook you want, also the report is generated and saved on the localhost
CONCLUSION:
In this article, we have mentioned how to setup sonarqube locally on your device to make sure that everything in the code is okay, and also you can add it as a pre-commit hook to make sure that your commits are not violating any of the standards