SonarQube Introduction

SonarQube is an open-source platform that automatically reviews code for quality and security issues. This topic explains what SonarQube is, how it works at a high level, and the key ideas you need to understand before using it.

What SonarQube Does in One Sentence

SonarQube reads your source code, checks it against hundreds of rules, and shows you a report of every problem it finds — organized by severity, type, and file.

SonarQube Is Not a Test Runner

Many beginners confuse SonarQube with a testing tool like JUnit or pytest. SonarQube does not run your tests. Instead, it reads the test results your framework produces and uses them to calculate test coverage. SonarQube itself is a static analysis and reporting platform.

The Big Picture: How SonarQube Fits in a Project

YOUR CODE
   |
   v
[SonarScanner] ----scans----> [SonarQube Server]
                                      |
                              [Analyzes + Stores]
                                      |
                              [Web Dashboard]
                                      |
                         Developer reads the report

The SonarScanner is a small command-line tool that you run on your project. It sends the code data to the SonarQube Server, which stores the results and makes them available in a browser-based dashboard.

Key Components of SonarQube

SonarQube Server

This is the main application. It receives scan data, processes it, stores results in a database, and serves the web interface. You install this on a machine your whole team can access.

SonarScanner

This is the tool you run against your project's code. It analyzes the files and sends results to the server. Multiple scanner versions exist — one for Maven projects, one for Gradle, one for .NET, and a general-purpose CLI scanner.

Database

SonarQube stores all scan results, history, and configuration in a database. Supported databases include PostgreSQL, Microsoft SQL Server, and Oracle.

Web Interface

This is the browser dashboard where developers, team leads, and managers read reports, browse issues, and configure settings.

SonarQube Editions

+--------------------+------------------+------------------+
|   COMMUNITY        |   DEVELOPER      |   ENTERPRISE     |
+--------------------+------------------+------------------+
| Free               | Paid             | Paid             |
| 1 branch analysis  | Branch analysis  | Portfolio view   |
| Most languages     | More languages   | All languages    |
| Great for learning | Great for teams  | Large orgs       |
+--------------------+------------------+------------------+

The Community Edition is free and covers most use cases for individual developers and small teams. This course uses the Community Edition for all examples.

Languages SonarQube Supports

SonarQube supports over 30 programming languages including Java, JavaScript, TypeScript, Python, C#, C, C++, Go, PHP, Ruby, Kotlin, Swift, and more. The specific languages available depend on the edition and installed plugins.

What SonarQube Measures

Reliability

Bugs in the code that will cause incorrect behavior at runtime. SonarQube rates reliability from A (no bugs) to E (critical bugs present).

Security

Vulnerabilities that attackers could exploit. The rating goes from A to E, same as reliability.

Maintainability

Code smells — design problems that make the code hard to understand or change. SonarQube calculates the time it would take to fix all smells and calls it technical debt.

Coverage

The percentage of lines covered by unit tests. Higher coverage means more confidence that code changes do not break existing behavior.

Duplications

The percentage of code that appears in more than one place. High duplication makes maintenance difficult and increases the risk of inconsistencies.

The SonarQube Rating System

RATING    MEANING
------    -------
  A       No issues in this category — excellent
  B       1 minor issue — good
  C       At least 1 major issue — acceptable
  D       At least 1 critical issue — needs attention
  E       At least 1 blocker issue — must fix immediately

What Is a Rule

A rule is a specific check that SonarQube applies to your code. For example:

  • "Variables should not be declared and then immediately re-assigned"
  • "SQL queries should not be built with string concatenation" (SQL injection risk)
  • "Methods should not have too many parameters"

SonarQube ships with thousands of built-in rules. Administrators can enable, disable, or customize rules to match team standards.

What Is a Quality Gate

A Quality Gate is a pass/fail check that runs at the end of every scan. You define the conditions. For example: "Fail if code coverage on new code is below 80%" or "Fail if any new critical vulnerabilities exist."

Teams use Quality Gates in CI/CD pipelines to block a build from being deployed if the code does not meet minimum standards. You will learn more about Quality Gates in a dedicated topic.

The Concept of New Code

SonarQube distinguishes between overall code (everything in the project) and new code (code added or changed since a defined date or version). Teams typically focus Quality Gate conditions on new code. This approach prevents existing legacy issues from blocking every build while still enforcing quality on new work.

SonarQube vs Competitors

TOOL            TYPE            BEST FOR
------------    ----------      --------------------------------
SonarQube       Server-based    Teams, CI/CD, multi-language
Checkstyle      CLI tool        Java style rules only
PMD             CLI tool        Java static analysis only
ESLint          CLI tool        JavaScript only
Snyk            Cloud-based     Security focus

SonarQube is unique because it supports many languages, stores history over time, and integrates with almost every CI/CD tool on the market.

Previous lessons
Back to courses
Next lessons

Leave a Comment

Your email address will not be published. Required fields are marked *