SonarQube Setup for Website Code Quality Analysis

Code Quality Analysis with SonarQube

SonarQube scans your codebase for code smells, duplication, potential bugs, and vulnerabilities. Quality Gate—automatic threshold: PR doesn't merge if analysis fails.

SonarQube: self-hosted

# Docker Compose
services:
  sonarqube:
    image: sonarqube:10-community
    environment:
      SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
      SONAR_JDBC_USERNAME: sonar
      SONAR_JDBC_PASSWORD: sonar
    ports:
      - "9000:9000"
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_logs:/opt/sonarqube/logs

  db:
    image: postgres:15
    environment:
      POSTGRES_DB: sonar
      POSTGRES_USER: sonar
      POSTGRES_PASSWORD: sonar
    volumes:
      - sonar_db:/var/lib/postgresql/data

volumes:
  sonarqube_data:
  sonarqube_logs:
  sonar_db:

Project Configuration

# sonar-project.properties
sonar.projectKey=my-project
sonar.projectName=My Project
sonar.projectVersion=1.0

sonar.sources=src
sonar.tests=src
sonar.test.inclusions=**/*.test.ts,**/*.spec.ts
sonar.exclusions=**/*.d.ts,**/node_modules/**,**/.next/**

# TypeScript
sonar.typescript.lcov.reportPaths=coverage/lcov.info

# Duplication: minimum tokens to trigger
sonar.cpd.ts.minimumTokens=100

GitHub Actions Integration

# .github/workflows/sonarqube.yml
name: SonarQube Analysis

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  sonar:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # shallow clone disables change analysis

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm

      - run: npm ci

      - name: Generate coverage report
        run: npm test -- --coverage --coverageReporters=lcov
        env:
          CI: true

      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v2
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

      - name: SonarQube Quality Gate check
        uses: SonarSource/sonarqube-quality-gate-action@v1
        timeout-minutes: 5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Quality Gate: Setting Thresholds

SonarQube Dashboard → Quality Gates → Create

Conditions for new lines of code:
  Coverage < 70%              → FAILED
  Duplicated Lines > 3%       → FAILED
  Maintainability Rating < A  → FAILED
  Reliability Rating < A      → FAILED
  Security Rating < A         → FAILED
  Security Hotspots Reviewed < 100% → FAILED

SonarCloud: Cloud Version

# Free for open source projects
- name: SonarCloud Scan
  uses: SonarSource/sonarcloud-github-action@v2
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  with:
    args: >
      -Dsonar.organization=my-org
      -Dsonar.projectKey=my-org_my-project
      -Dsonar.sources=src
      -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info

Key SonarQube Metrics:

• Coverage—percentage of test coverage
• Duplications—duplicated code blocks
• Code Smells—code smells (complexity, cognitive complexity)
• Bugs—probable bugs (null pointer, incorrect conditions)
• Vulnerabilities—potential vulnerabilities
• Security Hotspots—require manual review

Setting up SonarQube with GitHub Actions and Quality Gate—1–2 business days.