| SonarQube Integration

4 min readOct 22, 2022

|| #story 2 =>Azure + SonarCloud — Block Pull Requests for every code merge.

AzureEliminate Bugs and Vulnerabilities in your Azure DevOps repositories

sonarqube + azure devops

General Context

1 Sonarqube?
2 SonarQube Reports / Why use SonarQube?
3 SonarQube integration with Azure (Extension for Azure )
4 Configure SonarQube on Azure (Config pipeline)
5 Configure SonarQube
6 Analyzing Source Code Branch
7 Demo

1-SonarQube ?

SonarQube is an open-source platform developed by SonarSource ,
It is used to inspect the source code of software and applications under development and detect bugs, security vulnerabilities, instances of duplicate code and other anomalies that may affect the quality of the source code

The goal is to help developers create better quality code, while simplifying the development process.

2-1 SonarQube Reports ?

Architecture and design of the application
Unit testing (analysis of specific parts of the code)
Duplicate code
Potential bugs
Complex code
Programming rules

2–2 Why use SonarQube?

we use sonar to improve the quality of the code and there are other reasons :
Quick error detection
Improve productivity
Cost reduction
clean code

3 SonarQube integration with Azure

Allows you to maintain code quality and security in your Azure DevOps repositories.

4-Analyzing Source Code

Once the SonarQube platform has been installed, you’re ready to install a scanner and begin creating projects. To do that, you must install and configure the scanner that is most appropriate for your needs :

Azure DevOps — SonarQube Extension for Azure DevOps: makes it easy to integrate analysis into your build pipeline. The extension allows the analysis of all languages supported by SonarQube.

5 Configure SonarQube on Azure


For our pipeline project. We have three dependencies for tasks that we will use.

# Prepare Analysis Configuration task
- task: SonarQubePrepare@5

# Run Code Analysis task
- task: SonarQubeAnalyze@5

# Publish Quality Gate Result task
- task: SonarQubePublish@5

Configure SonarQube

Quality Profiles: Are collections of rules to apply during an analysis:
For each language there is a new profile created by ou team :

1- update Rules Sonarqube
2- Create Profiles

Quality Gates :
Considers all of the quality metrics for a project and assigns a passed or failed designation for that project. We have created a 4 Quality Gates :

[Project] Ultimate Level
[Project] High Level
[Project] Medium Level
[Project] low Level

3- Create Quality Gates :

Example for Quality Gates Ultimate

Metric Definitions


Duplicated blocks (duplicated_blocks)
A number of duplicated blocks of lines.


Code Smells : Total count of Code Smell issues..
Maintainability : Rating given to your project related to the value of your Technical Debt Ratio. The default Maintainability Rating grid is:
A=0–0.05, B=0.06–0.1, C=0.11–0.20, D=0.21–0.5, E=0.51–1
The Maintainability Rating scale can be alternately stated by saying that if the outstanding remediation cost is:
<=5% of the time that has already gone into the application, the rating is A
between 6 to 10% the rating is a B
between 11 to 20% the rating is a C
between 21 to 50% the rating is a D
anything over 50% is an E

Quality Gate :

For all the conditions of your Quality Gate, you know which condition is failing and which is not.
Bugs: Number of bug issues.
Reliability Rating:
A = 0 Bugs
B = at least 1 Minor Bug
C = at least 1 Major Bug
D = at least 1 Critical Bug
E = at least 1 Blocker Bug


Vulnerabilities : Number of vulnerability issues.

Security Rating
A = 0 Vulnerabilities
B = at least 1 Minor Vulnerability
C = at least 1 Major Vulnerability
D = at least 1 Critical Vulnerability
E = at least 1 Blocker Vulnerability
More Details

6 Analyzing Source Code Branch

Any questions?