The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

SonarQube usage

How to use SonarQube

This guide will assist you in getting started with SonarQube and performing various tasks efficiently using the tool.

Important

Some actions cannot be performed directly by users and should be performed by submitting a ticket.

Please visit the Platform page to review the specific instructions and tickets available on your platform.

Local Environment Setup

SonarQube for IDE

To install SonarQube for IDE in Visual Studio Code:

  • Navigate to the Extensions view by selecting the Extensions icon in the Activity Bar on the side of the window.
  • Search for SonarQube for IDE in the search bar
  • Select the Install button next to the SonarQube for IDE extension from SonarSource.

Set Up the Connected Mode

  • Open the SonarQube for IDE in VSCode.
  • Go to Connected Mode tab, at SonarQube Server level and select +.
  • Fill the SonarQube Server Url.
  • Select Generate Token : This will open your SonarQube server page to validate your credentials.
  • Select Save Connection to establish the connection.

Once connected, you can select your project:

  • Select + next to your server on the list
  • Find your project to bind it.

SonarQube IDE

Run Local Scan

  • Ensure SonarQube for IDE is installed and connected in Connected Mode.
  • Access the Command Palette by pressing Ctrl+Shift+P (or Cmd+Shift+P on macOS).
  • Type and select SonarQube: Analyze Current File With SonarQube
  • SonarQube will begin analyzing your code
Note
  • SonarQube IDE for VS Code will only analyze open files.
  • SonarQube IDE for Eclipse, can analyze all files in the project.

Access to SonarQube

Generate Tokens

  • Sign in to SonarQube with your user credentials,
  • Select your profile avatar or name in the upper-right corner,
  • Select My Account from the dropdown menu,
  • In the left-hand menu, select the Security tab.
    • Under the Tokens section, you will see a button to generate a new token.
  • Provide a descriptive name for the token, like cicd-pipeline-token
  • Select a token type ( you can refer to SonarQube guide token )
  • Set an expiration date for the token.
  • Select Generate Tokens.

Managing and Revoking Tokens

  • Regular Review: Periodically review active tokens to ensure they are still necessary and scope/permissions are appropriate.
  • Revocation: If a token is compromised or no longer needed, navigate to My Account > Security > Tokens and select the revoke button for the specific token.

Start a Scan

Create a New Project

To create a new project in SonarQube, follow these steps:

  1. Sign in to your SonarQube instance.
  2. From the main menu, select Projects and then Create Project.
  3. Enter the project details:
  4. Provide a name for the project, a unique project key, and optionally a project description.
Exemples

Please take a look to an exemple of a Python Project for detailed instructions on setting up quality checks.

Add Quality Profile

  • Navigate to your project.
  • Select the Project Settings.
  • Select Quality Profiles from the left menu.
  • you will see a list of already used quality profiles.
  • Select Add Language
  • Choose the relevant language from the dropdown menu.
  • Select the quality profile you wish to assign to your project.
  • Confirm your action by selecting Save.

Organize Dashboard

Important

Depending on your platform, as an user you may have the ability to create Application or Portfolio. If not, only the platform administrators can perform the following actions.

Create an Application

Application Creation

  1. Sign in to your SonarQube instance.
  2. From the main menu, you should see a button at the top right labeled Create Application.
  3. Define the Application details:
    • Name: Enter a descriptive name for your application (e.g., my awesome app).
    • Key: Provide a unique identifier for the application. This key should follow the naming conventions your platforms uses. (my-awesome-app)
    • Description: (Optional) Provide a brief description of the application’s purpose.

Add projects to an Application

  1. Navigate to your newly created Application.
  2. Select the Application Settings Menu.
  3. Select the Edit Definition.
  4. Search and Select projects that will be part of this application.
  5. Select The Branch that you want to include in the application.

Create a Portfolio

portfolio Creation

  1. Sign in to your SonarQube instance.
  2. At the top menu, select Portfolio next to Project.
  3. From here, you can view the portfolios
  4. Select the Create Portfolio button to start creating a new portfolio.
Note

With Administrator privileges, you can manage Portfolios under Administration > Configuration > Portfolios.

Setup a Portfolio

  1. Navigate to the Portfolios section from the main menu.
  2. Select your Portfolio
  3. At the right side of the screen, select the Portfolio Settings > Edit Definition.
  4. You can define the contents of your portfolio by adding Projects, Application or other Portfolios.
    1. To add Application, select the buttom Add Application
    2. To add Portfolio, select the buttom Add Portfolio
    3. To add Project, select the pencil icon next to Project selection mode, select Manual, then use the search bar to find and select the projects you want to include.
  5. You can also choose the Branch that you want to include in the portfolio. By default, the Main BRANCH will be selected.

edit portfolio

How to manage issues

Ensure SonarQube is properly set up in your CI/CD pipeline, that you have define a quality gates that set thresholds for code quality, including metrics like code coverage, duplications, complexity, and more.

Run your project through CI to perform an analysis and gather a baseline of your code quality.

Review the issues identified by SonarQube in Issues tabs. Issues are categorized into bugs, vulnerabilities, code smells, security hotspots, and duplications.

Prioritize issues based on their severity (Blocker, Critical, Major, Minor, Info):

  • Focus on high-severity issues (Blockers and Critical) first as they could have the most significant impact on your application.

view

  • Open an issue by selecting it for more details.

view

Assigning and Resolving Issues

  1. Assign issues to the appropriate team members who have the knowledge and responsibility to address them.

    • Developers should address the assigned issues in their codebase. Follow the recommendations provided by SonarQube for resolving the issues.
    • Ensure each fix includes appropriate testing to verify that it resolves the issue without introducing new problems.
    • Conduct code reviews to ensure that the fixes correctly address the issues and follow best practices.
    • Use SonarQube’s pull request decoration feature to see issues in the context of pull requests.
  2. After validating changes, rerun the SonarQube analysis to verify that issues have been resolved and to catch any new issues that may have been introduced.

  3. Use SonarQube’s dashboards and reports to track the progress of issue resolution over time.

    • Share these reports regularly with stakeholders to keep them informed about the code quality and any technical debt.

Display Quality

View Badges SonarQube

  1. Go to your project dashboard in SonarQube,
  2. Navigate to Project Information on the top right of the page,
  3. Open Get project badges section,
  4. Select one of the different badge options, such as quality gate status, coverage, and reliability rating and the format.
  5. Copy the URL/Code of the required badge.

sonar-badge

You can now use this badge in your documentation or README file to showcase the project’s code quality status.

Badge in GitLab Project

  1. Open your GitLab project.
  2. Go to the repository’s main page.
  3. On the left sidebar, navigate to Settings > General.
  4. Expand the General project settings section. Locate the “Badges” section and select Add Badge.
  5. Fill in the fields as follows with Name and Link (e.g., https://sonar.example.com/dashboard?id=your_project_key )
  6. Badge Image URL: Paste the copied badge URL from SonarQube (e.g., https://sonar.example.com/api/project_badges/measure?project=your_project_key&metric=coverage ).
  7. Select Add Badge to save the badge.

Badge in GitLab README

If you chose the markdown format in step 4 (SonarQube part), you can add the generated code directly to the file README.md:

  1. Edit your README.md file,
  2. Paste the code that was generated at step5,
  3. save and commit your changes

Advanced Customization

The platform should restrict the access to users the capability to create / modify quality profiles, as they are shared and visible accross the instance.

Users should request to their Platform Adminitrators a request a Creation or Extension of a Quality Profile.

Create Quality Profile

Instance Adminstrator Privileges or Create Quality Profile Rights:

  • Navigate to Quality profile
  • At the top right corner, you can see two buttons at the top right: create and restore.
    • Create: allow create a blank profile, a copy of an existing profile or an extend of an existing profile for a specific language
    • Restore: This option enables you to import from a backup file (XML) if provided by user.

Extend an Existing Quality Profile

Instance Adminstrator Privileges or Create Quality Profile Rights:

  • Go to Quality profile
  • Type the language of the profile you want to extend in Filter profiles by:
  • Select an existing profile (the one you want to extend from)
  • Select the gear at the top right of the page
  • Select Extend
  • Name your new profile.

Once created, You can grant the permission to manage to the requester.

Manage a specific quality profile

Instance Adminstrator Privileges or Create Quality Profile Rights:

You can delegate the management (add / change rules in a quality profile) to users.

  • Go to Quality profile tabs
  • Select the profile you want to manage. (filter by language if needed)
  • Go at the button of the page and select the Grant permissions to more users.
  • Select the user or group you want to grant permissions to and select Save.

grant-perms

Tip

This method is recommended over granting everyone with Administer Quality Profile privilege. This avoid having users modify quality profiles that they are not under their scope.

Last modified 17.03.2026: Fix British terms (24d3972)