Home C# SonarQube – Rejecting Code Check-in when Quality Gates are not met

SonarQube – Rejecting Code Check-in when Quality Gates are not met

By on ( 5 )


SonarQube is an Open Source tool for continuous inspection of code quality. It basically does a static code analysis of your entire code base.

The earlier we identify issues, the easier and cheaper it is to address them. By leveraging the power of Static Code Analysis, developers can get an early feedback for their code changes.

SonarQube has a collection of rules to analyze your source code at compile time to identify potential vulnerabilities, bugs, anti-patterns, refactoring and poor coding practices.

Read my earlier blog post to learn more about SonarQube – 

Manage your Technical Debt with Visual Studio 2015 and SonarQube
 
In my project, we have also integrated SonarQube with our TFS CI/CD build and have configured the Quality Gates.

For example – If I try to inject a security threat or a known coding issue — the TFS build will fail, the check in will get rejected, the quality gate fails and SonarQube points me to the exact issue – which I can rectify and do another check-in. So it will basically stop you from checking in code with potential issues.
 
Currently the only way to catch such issues is during manual coding reviews. SonarQube will help in automating that process. You can write your own rules to look for known issues in the code and stop it before the code gets checked in to source control.
So overall you can ensure good quality code going to Production and less regression defects coming up at a later point of time.

Please find below the sequence of events which occurs when I try to check in code with potential vulnerability —

SonarQube Scanner fails

SonarQube Quality Gate Failure

Code check-in gets rejected

Check-in Rejected

TFS Continuous Integration Build Fails

TFS Build Failed

SonarQube Quality Gates fail

SonarQube Analysis Report

Detailed SonarQube Report shows the new bugs/vulnerabilities introduced 

SonarQube Details

 

Clicking on the new vulnerability introduced, it points you to the exact issue in the code and provides suggestion on the code fix

Issue Details

I have been using SonarQube in my projects to ensure high code quality, automate our code review process and also manage our technical debt. I would highly recommend you to start using this tool and leverage its benefits.

Categories: C#, SonarQube, Visual Studio

5 replies

  1. Justin
    November 7, 2018 • 2:11 pm

    Great – but you don’t talk about how to set it up to do this…

    Like

    Reply ↓
  2. jgreywolf
    November 7, 2018 • 2:12 pm

    This is great – but Im trying to find information on how to actually set this up

    Like

    Reply ↓
  3. Russell and Bromley Oxfards
    January 9, 2019 • 8:30 am

    Great article. I previousally to spend alot of my time water skiing and being involved in sports. It was quite possible the most memorable period of my childhood and your info somehow brought back us of that. Thanks

    Like

    Reply ↓

Trackbacks

  1. Improving Code Quality With SonarQube – Curated SQL
  2. SonarQube – Setting up Quality Gates in your application – dotnetvibes

Leave a Reply