Learn

Home

Image represents a media kit with boilerplate, logos and more

Guide

Getting Started with SonarQube Cloud: A Developer's Guide

This guide is designed to help you navigate the features of SonarQube Cloud and integrate it into your workflow seamlessly.

Table of Contents


Introduction

In the ever-evolving landscape of software development, maintaining code quality and security is more critical than ever. With the recent announcement of the SonarQube Free tier, developers now have easy access to professional-grade code analysis tools—no infrastructure setup or software installation required. This guide is designed to help you navigate the features of SonarQube Cloud and integrate it into your workflow seamlessly.


The Growing Importance of Code Quality


Software development is increasingly complex with rapid release cycles and high-quality demands. Developers face pressure to deliver secure, robust code quickly, often leading to technical debt and security vulnerabilities, especially with AI-generated code.


Enhancing Developer Productivity


Developer productivity is crucial for project success. Time spent on debugging and refactoring slows projects and affects morale. This time could be better used for developing new features or optimizing existing ones.


Seamless Integration into Development Workflows


A tool's value increases when it integrates seamlessly into the development environment. SonarQube Cloud excels by aligning with daily developer workflows.


Accessibility to Professional-Grade Tools


High licensing costs for professional code analysis tools have been a barrier. The SonarQube Cloud Free tier removes this obstacle, democratizing access to top-tier code analysis and empowering developers to improve code quality without financial constraints.


Accelerating Development and Reducing Bugs


Early detection of bugs, vulnerabilities, and code smells accelerates development and enhances application robustness. Integrating SonarQube Cloud into your development process helps catch issues early, saving time and resources without additional costs.


How to Get Started Quickly with SonarQube Cloud 


For a developer, getting started with SonarQube Free tier is a straightforward process designed to get you analyzing your code for quality and security in no time. This section provides a step-by-step guide to help you set up and integrate SonarQube Cloud into your development workflow effectively.


1. Sign Up for SonarQube Cloud 

Visit the SonarQube Cloud sign-up page and create your Free account by navigating to the SonarQube Cloud sign-up page.


Authenticate with Your DevOps Platform


SonarQube Cloud integrates seamlessly with popular version control platforms. You can sign up using your GitHub, GitLab, Bitbucket , or Azure DevOps account.


Authentication via these platforms utilizes OAuth, ensuring a secure and hassle-free sign-in process.

  • Choose the platform where your repositories are hosted. For this guide, we'll assume GitHub, but the steps are similar for other platforms. Login using your GitHub account. If you don’t have one, you will need to create an account.



  • You will be prompted to authorize SonarQube Cloud to access your GitHub account. This includes:
    • Personal Data Access
      SonarQube Cloud requests minimal personal data necessary for operation, such as your username and email address.
    • Repository Access
      You can choose to grant access to all repositories or specific repositories. For greater control and security, selecting specific repositories is recommended for initial setup.



2. Creating an Organization & Onboard Your First Project

After successful authentication, you'll be directed to the Organization creation page. This is where you will import an organization from your GitHub. Once logged in, you can create or import your organizations and repositories from your DevOps platform. Each imported organization becomes a SonarQube organization, and each repository becomes a project within SonarQube Cloud.


Click on “Import an Organization”.



Select the GitHub repository where you want to install SonarQubeCloud.


Select the “Repository access” level.

  • All repositories
  • Only select repositories


Click on “Save”.


This will take you to the “Create an organization” page.


Provide a “Name” of the organization and Key”.


From the “Choose a plan” select Free plan. 


Click on “Create Organization”.


On the “Analyze projects” page, select either all repositories or a particular repository. 



Click on “Set Up”.


On the “Set up project for Clean as You Code” page, you need to set the new code definition.


For our demo purpose, let’s select “Previous version” and click on “Create project”. 



3. Perform Your First Analysis


Choose Your Analysis Method


SonarQube Cloud offers multiple analysis methods to suit different project needs.


Option 1: Automatic Analysis


Ideal for most projects and languages located in GitHub, Automatic Analysis requires no additional configuration.


  • Enable Automatic Analysis
  • Supported Languages
    Automatic Analysis supports a wide range of languages, including:
    • JavaScript, TypeScript
    • Python
    • Java (partial support)
    • C# (partial support)
    • PHP
    • And more

Option 2: CI-Based Analysis


For projects requiring customized build environments or those written in languages not fully supported by Automatic Analysis.


  • Generate a Token
    You'll need a SonarQube Authentication Token :
    • Go to “My Account” > “Security” .
    • Click on “Generate Tokens”, provide a name (e.g., “CI Token”), and note down the generated token securely.




  • Install SonarQube Cloud Scanner
    Depending on your build environment, you may need to install a scanner:
    • SonarScanner CLI: A generic scanner for most projects.
    • Maven/Gradle Plugins: For Java projects.
  • Download and install the appropriate scanner as per the installation guide.
  • Configure Your CI Pipeline
    Add steps in your CI configuration to execute the SonarQube Cloud scan, providing the necessary parameters like project key, organization, and authentication token.



Automatic Analysis


If you chose Automatic Analysis:

  • Initial Scan Triggered Automatically
    Upon setting up, SonarQube Cloud starts analyzing your project's default branch.



  • Subsequent Analyses
    Any new commits pushed to the default branch or open pull requests will trigger re-analysis.



Once the analysis is done, you will get to see the result on the project details dashboard page.



CI-Based Analysis


If you either wish to select CI based analysis because the automatic analysis doesn’t support the language such as flutter/dart or because of your DevOps methodology, you need to create additional configuration. 


From the project details page, select “Administration” and select “Analysis Method”.


Select “With GitHub Action”.


You will be asked to “Create a GitHub Secret” key with specific values.


Select the language for what you want to create the build file for your project.


Select the OS on which you want to run this build on.



An example of the build file for a Dart project is shown below:



name: Build

on:

  push:

    branches:

      - master

  pull_request:

    types: [opened, synchronize, reopened]

jobs:

  sonarqube:

    name: SonarQube

    runs-on: macos-latest

    steps:

      - uses: actions/checkout@v4

        with:

          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis

      # The analysis requires to retrieve dependencies and build successfully

      - name: Build

        run: <mark><commands_to_build_your_project></mark>

      - name: SonarQube Scan

        uses: SonarSource/sonarqube-scan-action@v4

        env:

          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}



You also need to create a “sonar-project.properties” configuration file in the root directory of the project. A sample is shown below:



sonar.projectKey=stretchcloud_spotube

sonar.organization=stretchcloud


# This is the name and version displayed in the SonarCloud UI.

#sonar.projectName=spotube

#sonar.projectVersion=1.0



# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.

#sonar.sources=.


# Encoding of the source code. Default is default system encoding

#sonar.sourceEncoding=UTF-8



If everything is running successfully, once the analysis is complete you'll be redirected to the Overview page of your project where the new analysis results will be displayed. This can take a few minutes.



4. Interpreting Analysis Results


Navigate to Your Project Dashboard


  • Access Key Metrics
    The dashboard provides an at-a-glance view of your project's health:
    • Overall Rating - A quality gate status indicating pass or fail based on predefined conditions.
    • Reliability Rating - Reflects the severity and number of bugs.
    • Security Rating - Indicates vulnerabilities found.
    • Maintainability Rating - Based on code smells and technical debt.
    • Coverage - If test coverage reports are provided.
    • Duplications - Percentage of duplicated lines



Explore Detailed Reports

  • Issues Tab
    Dive into a full list of detected issues. You can filter issues by:
    • Severity: Blocker, Critical, Major, Minor, Info.
    • Type: Bug, Vulnerability, Code Smell.
    • Status: Open, Confirmed, False Positive, Accepted, Fixed.




  • Rule Descriptions
  • Security Hotspots
    Security Hotspots require manual review. They are areas of code that are security-sensitive but may not necessarily be vulnerable.




Advanced features that developers should consider

Now that you know how to get started with SonarQube Cloud, go ahead and sign up and give it a try. We will do a deep dive on more advanced features below in subsequent blogs.


Deeper Static Application Security Testing (SAST)


SonarQube Cloud’s deeper SAST goes beyond surface-level checks by analyzing how your code interacts with third-party dependencies. It uncovers complex vulnerabilities that might be missed by traditional scanners, helping you prevent potential security breaches.

AI Code Assurance

With AI Code assurance, you can analyze the code generated by AI coding assistants and tools and validate the code quality and security before the code is deployed. 


Advanced Secrets Detection

Accidentally committing secrets can lead to severe security incidents. SonarQube Cloud’s Advanced Secrets Detection scans your code for hard-coded credentials and sensitive information, alerting you before they become a problem.

Code Coverage, Duplication and Maintainability Metrics

Code coverage ensures that a significant portion of the codebase is tested, reducing the likelihood of undetected bugs and improving overall software quality and reliability. Detecting duplicated code helps maintain a clean, efficient codebase. SonarQube Cloud identifies code duplications, enabling you to refactor and improve maintainability. Maintainability metrics provide insights into code robustness and ease of future development.

Infrastructure as Code (IaC) Analysis

With support for IaC platforms, SonarQube Cloud analyzes your configuration files for security and compliance issues. This feature is essential for developers working with cloud deployments, ensuring your infrastructure is as secure as your application code.

Additionally,  there are plenty of resources to help you get started:

  • Step-by-step guide for analyzing Java application code.
  • An active and growing user community, a great place to share experiences and get help.
  • Comprehensive documentation covering everything from getting started to exploring features.


Ready to go?  Get started here with your favorite DevOps platform and explore all the value of SonarQube Cloud.