Azure DevOps integration
SonarQube's integration with Azure DevOps allows you to maintain code quality and security in your Azure DevOps repositories. It is compatible with both Azure DevOps Server and Azure DevOps Services.
With this integration, you'll be able to:
- Import your Azure DevOps repositories: Import your Azure DevOps repositories into SonarQube to easily set up SonarQube projects.
- Analyze projects with Azure Pipelines: Integrate analysis into your build pipeline. Starting in Developer Edition, SonarScanners running in Azure Pipelines jobs can automatically detect branches or pull requests being built, so you don't need to specifically pass them as parameters to the scanner.
- Add pull request decoration: (starting in Developer Edition) See your Quality Gate and code metric results right in Azure DevOps so you know if it's safe to merge your changes.
Integration with Azure DevOps Server requires Azure DevOps Server 2020, Azure DevOps Server 2019, TFS 2018, or TFS 2017 Update 2.
Community Edition doesn't support the analysis of multiple branches, so you can only analyze your main branch. Starting in Developer Edition, you can analyze multiple branches and pull requests.
Importing your Azure DevOps repositories into SonarQube
Setting up the import of Azure DevOps repositories into SonarQube allows you to easily create SonarQube projects from your Azure DevOps repositories. If you're using Developer Edition or above, this is also the first step in adding pull request decoration.
To set up the import of Azure DevOps repositories:
- Set your global DevOps platform settings
- Add a personal access token for importing repositories
Setting your global settings
To import your Azure DevOps repositories into SonarQube, you need to first set your global SonarQube settings. Navigate to Administration > Configuration > General Settings > ALM Integrations, select the Azure DevOps tab, and click the Create configuration button. Specify the following settings:
- Configuration Name (Enterprise and Data Center Edition only): The name used to identify your Azure DevOps configuration at the project level. Use something succinct and easily recognizable.
- Azure DevOps collection/organization URL: If you are using Azure DevOps Server, provide your full Azure DevOps collection URL. For example,
https://ado.your-company.com/DefaultCollection. If you are using Azure DevOps Services, provide your full Azure DevOps organization URL. For example,
- Personal Access Token – An Azure DevOps user account is used to decorate Pull Requests. We recommend using a dedicated Azure DevOps account with Administrator permissions. You need a personal access token from this account with the scope authorized for Code > Read & Write for the repositories that will be analyzed. This personal access token is used for pull request decoration, and you'll be asked for another personal access token for importing projects in the following section.
Adding a personal access token for importing repositories
After setting your global settings, you can add a project from Azure DevOps by clicking the Add project button in the upper-right corner of the Projects homepage and selecting Azure DevOps.
Then, you'll be asked to provide a personal access token with
Code (Read & Write) scope so SonarQube can access and list your Azure DevOps projects. This token will be stored in SonarQube and can be revoked at any time in Azure DevOps.
After saving your personal access token, you'll see a list of your Azure DevOps projects that can be set up and added to SonarQube. Setting up your projects this way also defines your project settings for pull request decoration.
For information on analyzing your projects with Azure Pipelines, see the Analyzing projects with Azure Pipelines section below.
Analyzing projects with Azure Pipelines
SonarScanners running in Azure Pipelines jobs can automatically detect branches or pull requests being built, so you don't need to specifically pass them as parameters to the scanner.
Automatic branch detection is only available when using Git.
Installing your extension
From Visual Studio Marketplace, install the SonarQube extension by clicking the Get it free button.
Azure DevOps server - build agents
If you are using Microsoft-hosted build agents then there is nothing else to install. The extension will work with all of the hosted agents (Windows, Linux, and macOS).
If you are self-hosting the build agents, make sure you have at least the minimum SonarQube-supported version of Java installed.
Adding a new SonarQube service endpoint
After installing your extension, you need to declare your SonarQube server as a service endpoint in your Azure DevOps project settings:
- In Azure DevOps, go to Project Settings > Service connections.
- Select New service connection and then select SonarQube from the service connection list.
- Enter your SonarQube Server URL, an Authentication Token, and a memorable Service connection name. Then, select Save to save your connection.
Configuring branch analysis
After adding your SonarQube service endpoint, you'll need to configure branch analysis. You'll use the following tasks in your build definitions to analyze your projects:
- Prepare analysis configuration: This task configures the required settings before executing the build.
- Run code analysis (Not used in Maven or Gradle projects): This task executes the analysis of source code.
- Publish quality gate result: This task displays the quality gate status in the build summary letting you know if your code meets quality standards for production. This task may increase your build time as your pipeline has to wait for SonarQube to process the analysis report. It is highly recommended but optional.
Select your build technology below to expand the instructions for configuring branch analysis and to see an example
Running your pipeline
Commit and push your code to trigger the pipeline execution and SonarQube analysis. New pushes on your branches (and pull requests if you set up pull request analysis) trigger a new analysis in SonarQube.
Maintaining pull request code quality and security
Using pull requests allows you to prevent unsafe or substandard code from being merged with your main branch. The following branch policies can help you maintain your code quality and safety by analyzing code and identifying issues in all of the pull requests on your project. These policies are optional, but they're highly recommended so you can quickly track, identify, and remediate issues in your code.
Ensuring your pull requests are automatically analyzed
Ensure all of your pull requests get automatically analyzed by adding a build validation branch policy on the target branch.
Preventing pull request merges when the quality gate fails
Prevent the merge of pull requests with a failed quality gate by adding a
SonarQube/quality gate status check branch policy on the target branch.
If your SonarQube project is configured as part of a mono repository in Enterprise Edition or above, you need to use a status check branch policy that uses a SonarQube project key (
SonarQube/quality_gate_[SQ_project_key]) instead of
Watch this video for a quick overview of how to prevent pull requests from being merged when they are failing the quality gate.
Adding pull request decoration to Azure DevOps
Pull request decoration shows your Quality Gate and analysis metrics directly in Azure DevOps.
After you've set up SonarQube to import your Azure DevOps repositories as shown in the Importing your Azure DevOps repositories into SonarQube above, the simplest way to add pull request decoration is by adding a project from Azure DevOps by clicking the Add project button in the upper-right corner of the Projects homepage and selecting Azure DevOps.
Then, follow the steps in SonarQube to analyze your project. The project settings for pull request decoration are set automatically.
To decorate Pull Requests, a SonarQube analysis needs to be run on your code. You can find the additional parameters required for Pull Request analysis on the Pull request analysis page.
Adding pull request decoration to a manually created or existing project
To add pull request decoration to a manually created or existing project, make sure your global ALM Integration settings are set as shown above in the Importing your Azure DevOps repositories into SonarQube section, and set the following project settings at Project Settings > General Settings > Pull Request Decoration:
- Project name
- Repository name
Advanced pull request decoration configuration
Missing build agent capability
If you add a Windows Build Agent and install a non-oracle Java version on it, the agent will fail to detect a needed capability for the SonarQube Azure DevOps plugin. If you are sure that the
java executable is available in the
PATH environment variable, you can add the missing capability manually by going to your build agent > capabilities > user capabilities > add capability. Here, you can add the key, value pair java, and null which should allow the SonarQube plugin to be scheduled on that build agent. This Bug has been reported to the Microsoft Team with azure-pipelines-agent#2046 but is currently not followed up upon.
Interaction details between SonarQube and Azure
When you run a Sonar analysis for a pull request, each Sonar issue will be a comment on the Azure DevOps pull request. If the AzureDevOps instance is configured correctly and you set an issue in SonarQube to 'resolved', the AzureDevOps Pull Request Comment will automatically be resolved. Likewise, when you fix an issue in the code and run the analysis build another time, the issue will be resolved in Sonar and deleted in AzureDevOps.
© 2008-2022, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.