Sonarqube & Jenkins
3 min read
What is SonarQube?
SonarQube is an open-source platform developed by SonarSource that integrates into software development workflows to ensure continuous code quality and security.
It performs static code analysis to automatically detect:
🐞 Bugs
🔒 Vulnerabilities
⚠️ Security hotspots
🧩 Code smells
SonarQube supports over 35 programming languages, frameworks, and infrastructure technologies, and uses more than 6,500 rules — including advanced taint analysis to identify security risks early in the development process.
My Project Setup
In my project, I implemented a complete CI/CD pipeline using Jenkins and SonarQube:
🧰 Created a Jenkins server to manage builds and automation.
🐳 Deployed a SonarQube server using Docker on the same machine for code quality analysis.
⚙️ Configured a Jenkins agent where all my application builds and tests run.
This setup ensures that every code change is automatically analyzed for quality and security issues before being deployed.
SonarQube Implementation using Jenkins and Docker
In this setup, I used Jenkins for CI/CD and SonarQube for code quality analysis.
Below are the steps and commands I ran to set up everything.
🖥 Step 1: Create Jenkins Server
I launched an EC2 Ubuntu instance and installed Jenkins.
# Update system packages
sudo apt update
# Install Java (required for Jenkins)
sudo apt install openjdk-21-jdk -y
# Add Jenkins repository and key
curl -fsSL https://pkg.jenkins.io/debian/jenkins.io-2023.key | sudo tee \
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
# Install Jenkins
sudo apt update
sudo apt install jenkins -y
# Start and enable Jenkins
sudo systemctl enable jenkins
sudo systemctl start jenkins
👉 What this does:
It installs and runs Jenkins, which will be used to automate builds, tests, and code analysis.
🐳 Step 2: Install Docker
sudo apt install docker.io -y
sudo systemctl start docker
sudo systemctl enable docker
sudo usermod -aG docker jenkins
sudo usermod -aG docker $USER
👉 What this does:
Installs Docker and gives both Jenkins and the current user permission to run Docker containers.
🚀 Step 3: Run SonarQube with Docker
docker run -d --name sonarqube \
-p 9000:9000 \
sonarqube:lts-community
👉 What this does:
Pulls the latest SonarQube LTS image.
Runs SonarQube in a container, exposing it on port 9000.
You can now access it at:
👉http://<your-ec2-ip>:9000
(default login:admin / admin)
🤝 Step 4: Connect Jenkins with SonarQube
Go to Jenkins → Manage Jenkins → Plugins → Available Plugins
Install “SonarQube Scanner” plugin.Go to Manage Jenkins → System → SonarQube Servers, and add:
Name:
sonarqubeServer URL:
http://<your-ec2-ip>:9000Authentication Token (generate from SonarQube → My Account → Security)
Go to Global Tool Configuration, and under SonarQube Scanner, click “Add SonarQube Scanner”.
🧩 Step 5: Create a Jenkins Pipeline
Here’s an example Jenkinsfile that builds your app and runs SonarQube analysis:
pipeline {
agent any
tools {
nodejs "NodeJS"
}
stages {
stage("Clone") {
steps {
git branch: 'main', url: 'https://github.com/DheerenGaud/Jenkins-learning.git'
}
}
stage("Build") {
steps {
sh 'npm install'
}
}
stage("SonarQube Analysis") {
environment {
scannerHome = tool 'SonarQubeScanner'
}
steps {
withSonarQubeEnv('sonarqube') {
sh '''${scannerHome}/bin/sonar-scanner \
-Dsonar.projectKey=NodeApp \
-Dsonar.sources=. \
-Dsonar.host.url=http://<your-ec2-ip>:9000 \
-Dsonar.login=<your-sonar-token>'''
}
}
}
}
}
What this does:
Every time you push code, Jenkins:
Clones your repo
Installs dependencies
Runs SonarQube analysis to check for bugs, vulnerabilities, and code smells
Refrences - https://www.youtube.com/watch?v=CoU38rJIjRY&t=25s