In our recent guide, we took the installation of Jenkins and installation of SonarQube by the horn and we managed to get them working. After that, we realize that we need to have Jenkins successfully communicate with SonarQube so that we can have our code scanned when that stage in our pipeline is required. In this succinct guide, we are going to tackle this and ensure that our pipeline completes successfully with SonarQube scanning involved.
Step 1: Install SonarQube Scanner Plugin
In order for Jenkins to communicate with SonarQube, we need special plugins to make it happen. Simply login to Jenkins and proceed to install tools that will allow us to connect and communicate with SonarQube. Luckily, there is an amazing plugin ready for you to install and configure. Head over to your Jenkins Server Web portal, click on “Manage Jenkins” > “Manage Plugins” > Click on the “Available tab” then search for SonarQube. The screenshots for the above steps are shared below.
Select “SonarQube Scanner” once it shows up in the list of plugins. Click on “Install without restart” tab then wait for it to complete installing. Mine will not appear on the screenshots shared because I have it already installed as shown below.
Step 2: Generate Token in SonarQube Server
In this step we are going to generate a token that we will use in Jenkins server to connect to it. We already covered the installation of SonarQube Server so head over to your installed instance, log in as Administrator and do the following:
Click on your Admin account Icon which will bring up a drop down menu. Click on “My Account“.
That will open a new page. On the new page, click on the “Security” tab.
A new “Tokens” area will appear. Under “Generate Tokens“, put a name you like then hit “Generate“.
A new token will be generated. Copy it since we are going to use it in Jenkins next.
Step 3: Configure SonarQube in Jenkins
While still logged into Jenkins as an administrator go to “Manage Jenkins” > “Configure System“.
Scroll down to the SonarQube configuration section, click Add SonarQube, and add the values you will be prompted to provide.
These include a name you prefer, SonarQube server URL, that is where your SonarQube server is running at then the “Server authentication token“. For the Server authentication token, click on “Add” then “Jenkins” as shown below.
That will open up the Jenkins Credentials Provider. Leave the domain as it is, and choose “Secret Text” for Kind as shown below. Once that is done, enter the token we created in Step 2 for “Secret“, give it a Name/ID that will match with what the secret is all about, you can add a description if you like then hit “Add“.
After that is done, scroll through “Server authentication token” and choose the token we have just added. Once that is done, simply hit “Apply” then “Save“.
Step 4: Configure SonarQube Scanner
In order for our code to be scanned by SonarQube, we need to configure SonarQube scanner. To do this, head over to “Manage Jenkins” then click on “Global configuration Tool“.
Scroll down and look for “SonarQube Scanner“. Click on “Add SonarQube Scanner” tab so that we can add it here. Since we already have a working instance of SonarQube, uncheck “Install Automatically” and then beside “SONAR_RUNNER_HOME” environment variable, enter the path where SonarQube is installed in your server. For me it is “/opt/sonarqube/bin“. After that, hit “Apply” then “Save“.
Step 5: Create a Project in SonarQube
Head over to your SonarQube Server, log in as Administrator and create a project by following the following steps. Click on “Administration” > “Projects“. Click on the “Projects” drop down list and click on “Management“. On your far right, close to the top, you will see a tab called “Create Project“.
Click on it and it will bring a form where you will enter the details of your project, that is its name and key. You can key in any value here as you prefer then click on “Create“.
Your Project will be successfully crated as shown below.
Step 6: Do a test with a Java Project
Guess what, our integration is finally done. Just one more thing remaining, and that is testing it out with sample code. I will use code written in SpringBoot and package it using Maven after scanning it using SonarQube. We shall add a step in a Jenkinsfile that will enable us scan the application in SonarQube before it proceeds to other steps. The stage we will use for this in our pipeline is shared below.
stage ('Scan and Build Jar File') steps withSonarQubeEnv(installationName: 'Production SonarQubeScanner', credentialsId: 'SonarQubeToken') sh 'mvn clean package sonar:sonar'
On the snippet, the installationName is the name you gave when you were configuring your SonarQube Server in Jenkins and credentialsId is the Name/ID of the token we added when we were integrating SonarQube and Jenkins in Step 3.
After adding that stage, save your Jenkinsfile or push it to Git or other source control integrated with your Jenkins Server and build your project if you have not configured a webhook. Once the build is done, the SonarQube stage should appear in your stages as follows:
Below the pipeline, you should see SonarQube Scan results similar to the one shared below
Simialrly, you can view more details of the scan we have just completed by logging in to SonarQube an checking out the name of our project. In case there are code smells, vulnerabilities or outdated packages, you will be able to view it all therein.
We have managed to not only install Jenkins and SonarQube but we have been able to integrate them so that our code goes through a good and smooth transition in a DevSecOps manner till the end. Jenkins is a brilliant tool and it has many more plugins you can play around with to make your DevOps experience even better.
Thank You for reading through as we hope that the guide was as helpful as we intended it to be.