<div class="table-wrap"><table style="line-height: 1.4285715;" class="confluenceTable"><tbody><tr><td class="highlight-grey confluenceTd" data-highlight-colour="grey">By <a target="_top" href="https://www.sonarsource.com">SonarSource</a> &#8211; MIT &#8211;
<a target="_top" href="https://jira.sonarsource.com/browse/VSTS">Issue Tracker</a> &#8211;
<a target="_top" href="https://github.com/SonarSource/sonar-scanner-vsts">Sources</a>
<br>
<div>
    <div style="padding-top:10px;padding-bottom:5px">
    <span style="font-size:larger;"><strong>SonarQube/SonarCloud Extension for TFS-VSTS</strong></span>
    <br>
    </div> 
</div> 
</div> </td></tr></tbody></table></div>


Features

The new structure of Team Foundation Build allows better integration with your build and release processes in Visual Studio Team Services (VSTS) (formerly VSO) and Team Foundation Server (TFS) on-premise via public extension which can be installed in your VSTS account or TFS server. The extension allows the analysis of all languages supported by SonarQube. 

Compatibility

The SonarQube Extension embeds its own version of the SonarQube Scanner for MSBuild.


Installation

  1. Make sure the .NET Framework v4.6+ is installed
  2. Make sure the Java Runtime Environment 8 is installed
  3. Install the extension from the marketplace


Note: if you are running on TFS earlier than 2017 Update 2, you will need to download and manually install the latest 3.x version of the VSIX.


Use

Configure a SonarQube service

The first thing to do is to declare your SonarQube server as a service endpoint in your VSTS project settings. Read the detailed instructions on how to create a SonarQube endpoint.

Configure and run analyses

To analyse your projects, the extension provides 3 tasks that you will use in your build definitions:

 To find those tasks, you can type "SonarQube" to filter them:

Analysing a .NET solution

  1. In your build definition, add:
  2. Reorder the tasks to respect the following order:
  3. Click on the Prepare Analysis Configuration build step to configure it:
    1. The SonarQube Server section allows you to define the endpoint (i.e. SonarQube Server instance) to use.
      You can:
      • select an existing endpoint from the drop down list
      • add a new endpoint
      • manage existing endpoints

    2. Keep Integrate with MSBuild checked and specify at least the project key

      • Project Key - the unique project key in SonarQube

      • Project Name - the name of the project in SonarQube

      • Project Version - the version of the project in SonarQube

    3. In the Additional Properties text area, if you have test and want coverage report, add the following property: 

      sonar.cs.vscoveragexml.reportsPaths=**/*.coveragexml



  4. Click the Visual Studio Test task and check the Code Coverage Enabled checkbox to process the code coverage and have it imported into SonarQube. (Optional but recommended)

Once all this is done, you can trigger a build.

Analysing a Java project with Maven or Gradle

  1. In your build definition, add:
  2. Reorder the tasks to respect the following order:
  3. Click on the Prepare Analysis Configuration build step to configure it:
    1. Select the SonarQube Server
    2. Select Integrate with Maven or Gradle

  4. On the Maven or Gradle task, in Code Analysis, check Run SonarQube or SonarCloud Analysis

Once all this is done, you can trigger a build.

Analysing other types of project

If you are not developing a .NET application or a Java project, here is the standard way to trigger an analysis:

  1. In your build definition, add:
  2. Reorder the tasks to respect the following order:
  3. Click on the Prepare Analysis Configuration build step to configure it:
    1. Select the SonarQube Server
    2. Select Use standalone scanner

    3. Then:

      1. Either the SonarQube properties are stored in the (standard) sonar-project.properties file in your SCM, and you just have to make sure that "Settings File" correctly points at it. This is the recommended way.
      2. Or you don't have such a file in your SCM, and you can click on Manually provide configuration to specify it within your build definition. This is not recommended because it's less portable.

Once all this is done, you can trigger a build.

 

Branch and Pull Request

Branch analysis

Starting with SonarQube 7.2, when a build is run on a branch of your project, the extension automatically configures the analysis to be pushed to the relevant project branch on SonarQube. The same build definition can apply to all your branches, whatever type of Git repository you are analyzing,

If you are working with branches on TFVC projects or with SonarQube 6.7 LTS, you still need to manually specify the branch to be used on SonarQube: in Prepare Analysis Configuration task, in the Additional Properties, you need to set sonar.branch.name.

Pull request analysis

SonarQube 7.2+ can analyze the code of the new features and annotate your pull requests in TFS with comments to highlight issues that were found.

Pull request analysis is supported for any type of Git repositories. To activate it:

  1. In the Branch policies page of your main development branches (e.g. "master"), add a build policy that runs your build definition
  2. Create a TFS token with "Code (read and write)" scope

  3. In SonarQube, in the "Administration > General Settings > Pull Requests" page, set this token in the "VSTS/TFS" section

Next time some code is pushed in the branch of a pull request, the build definition will execute a scan on the code and publish the results in SonarQube which will decorate the pull request in TFS.

On previous versions of the extension (3.0), this feature is available only for .NET solutions built and analysed with MSBuild. See the old documentation.

SonarCloud User?

If you are analyzing your project on SonarCloud, you should install the following VSTS extension: https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarcloud

On top of all the features described in this page, it provides additional features to make the user experience even better when using SonarCloud:

 To get more info about how to use this extension, you should have a look at SonarCloud help: https://sonarcloud.io/documentation/integrations/vsts

FAQ

Is it possible to trigger analyses on Linux or macOS agents?

Starting with version 4.0 of the SonarQube task (1.0 for the SonarCloud extension), this is possible since the extension has been fully rewritten in Node.js, and the mono dependency was dropped in version 4.3 (1.3 for the SonarCloud extension).

This is not possible with previous versions of the extension.

How do I get my pull requests decorated?

This feature is not available yet on the new version of the extension (4.0) if you are using the most up-to-date versions of the tasks. This will come in a near future.

How do I break the build base on the quality gate status?

This is not possible with the new version of the extension (4.0) if you are using the most up-to-date versions of the tasks. We believe that breaking a CI build is not the right approach. Instead, we are providing pull request decoration (to make sure that one does not introduce issues when merging his/her code) and we'll soon add a way to check the quality gate as part of a Release process.