Azure DevOps: Static Code Analysis with the Sonar Qube service on Azure Container Instances
While at University, students usually worry more about how to make an application code work, than how to make it last longer. Developing an application in a way that meets the business requirements in terms of features and overall functionality is definitely an important milestone in the roadmap. Still, on many occasions, it is simply not enough to ensure your product’s success on the market.
To stand out in a crowd of competitors, you need to make your product resilient. Executives and businesspeople sometimes don’t really understand how all that happens and from where it comes. Let me shed some light on this. Static code analysis is a powerful tool, which allows us to identify potential bugs, code smells and security vulnerabilities even before the code goes into the production environment. It is an essential part of the product development process’ quality assurance.
So I am going to demonstrate how you can leverage an open-source tool, developed by Sonar Source, to achieve continuous inspection of code quality, and potentially mitigate some risks in your product development process as a bonus. This mini-tutorial will help you understand how the Sonar Qube, Azure Container Instances, Linux and Azure DevOps can join forces to achieve the continuous code quality inspection you long for.
Luckily, gone are the times of Microsoft and Linux living in parallel universes. Nowadays, with the introduction of Cloud Services and Containers, choosing an OS is not relevant anymore. When practising DevOps, you have surely found out that the technologies and tools used are not important. The focus is on achieving quality and fast delivery, in a full-fledged agile environment.
Step 1: Deploy the Sonar Qube Server.
There are many ways to accomplish this step. Probably the quickest one is to deploy it from a pre-baked Docker image into an Azure Container Instance. For this, we may launch the Azure Cloud Shell and first create the recourse group. We then create an Azure Container Instance and pull the image for the Sonar Qube Server deployment.
When you have finished, you will see the details about your container instance like in the screen capture below:
At this point, there are few ways to check if your container is up and running. The easiest one is to log in to the Azure Portal.
Step 2: Integrate the Sonar Qube Container Instance into your CI pipeline
Now that you have SonarQube up and running on Azure, it’s time to use it in your Builds for continuous code inspection, and integration purposes. In this case, I am using one of my build definitions in Azure DevOps (classic editor), but it will work equally well if you use YAML definition for your build pipeline, or if you use Jenkins for example, for continuous integration purposes. For the whole integration, you will need to add the following three command-line tasks, as indicated below:
Task 1: Install the Sonar Qube tool on your Build Agent
Task 2: Invoke Scanning Service
Task 3: Execute
This is how the results are displayed in SonarQube:
Step 3: Deleting your Sonar Qube container
If you don’t want to leave your container living forever, you can delete your container:
Final remarks
In my view, this way of proceeding is the simplest one. With it, you don’t have to set up your own Sonar Qube server from scratch. Sonar Qube is not going to run 24 hours, so you can take the container up and down, based on your needs, and you don’t even need a server for it. Another challenge can arise though with the virtual machine where the Sonar Qube server is hosted. The virtual machine is typically used for multiple purposes, while containers draw clear boundaries among themselves. To overcome this, a viable solution is using the Azure App Service Linux Containers for deploying the Sonar Qube service. If that’s something you are interested in, have a look at the link:
I do hope you enjoyed reading my article, and please let me know what you think, and feel free to share your experience with SonarQube.
Comments