What is SonarCloud?
SonarCloud is a cloud-based code analysis service designed to detect code quality issues in 25 different programming languages, continuously ensuring the maintainability, reliability and security of your code.
What Does SonarCloud Do?
SonarCloud uses state-of-the-art techniques in static code analysis to find problems, and potential problems, in the code that you and your team write.
Static analysis is called static because it does not rely on actually running the code (analysis of running code is called dynamic analysis). As a result, SonarCloud offers an additional layer of verification, different from automated testing and human code-review.
Early detection of problems ensures that fewer issues get through to the later stages of the process and ultimately helps to increase the overall quality of your production code.
How Does SonarCloud Work?
When you first sign up for SonarCloud you have to choose which DevOps platform you want to connect to. You then sign into SonarCloud with your existing credentials on that service (there is no such thing as a SonarCloud-only account). Your SonarCloud account is created and bound to your account on the DevOps platform.
At this point, you can import organizations from your repository service account to your SonarCloud account and then import repositories from those organizations. Each imported organization becomes a SonarCloud organization and each imported repository becomes a SonarCloud project. Once you import a project it appears in your Projects list.
How Much Does It Cost?
SonarCloud is free to use for all open source projects. Any public repository on any of the supported services can be analyzed free of charge.
For private repositories, a paid tier is available.
What Languages Does It Support?
No On-Premises Repositories
SonarCloud does not work with on-premises code repositories. For on-premise support, see SonarQube.
What Does SonarCloud Detect?
SonarCloud identifies both issues and security hotspots in your code.
In SonarCloud terminology, an issue is a problem in your code that requires fixing. When scanning for issues, SonarCloud's algorithms are purposely conservative. They are designed to minimize the number of false positives (that is, things wrongly identified as problems). If SonarCloud identifies an issue, you can be quite confident that it really is something that should be fixed. SonarCloud will not overwhelm the developer with false alarms concerning issues.
Issues are grouped into three types:
- Code Smells: These are characteristics of the code that, while not actually preventing the proper functioning of the program, may indicate deeper problems that negatively affect the maintainability of the code. Early identification of these types of issues can help to alleviate technical debt in the application.
- Bugs: These are errors in the code that can prevent the program from operating as intended. They affect code reliability.
- Vulnerabilities: These are problems in the code that could be exploited by a bad actor to compromise the security of the application.
Security hotspots are areas of the code that may cause security issues and therefore need to be reviewed. By design, SonarCloud is more permissive when identifying security hotspots than when identifying vulnerabilities and other issues. An issue is almost always a real problem, while a security hotspot can often be a false alarm (but it is still worth checking). By separating hotspots from issues, SonarCloud maintains the accuracy of its issue detection while still providing developers with useful warnings under the less stringent criteria of the hotspot.
Where SonarCloud Fits In
SonarCloud is designed to be integrated into the software development process in order to intervene and prevent issues from reaching production. It does so in three different places: In the editor, in the pull request and in the codebase.
In the Editor
SonarCloud's companion product, SonarLint, provides developers with immediate feedback right in the editor, catching issues before they even get to the repository.
SonarLint also enables direct in-editor notifications from a connected SonarCloud account, providing developers with timely information about the results of code analysis done further along the development pipeline.
SonarLint is available as an extension for the following code editors and IDEs:
- Microsoft Visual Studio Code
- Microsoft Visual Studio
- IntelliJ IDEA
You can use other editors or IDEs with SonarCloud and still benefit from pull request and codebase analysis (see below) but for the additional features of in-editor analysis and notification, we recommend using SonarLint with one of the four supported products above.
In the Pull Request
Pull requests (in some systems, called "merge requests") are a mechanism to allow developers to collaborate more effectively. They enable a developer to ask others to review their work (usually their personal feature branch) prior to it being merged into the main body of the code (often the master branch). In the repository service, the pull request is displayed in a dedicated interface that allows the reviewer to see the changes proposed and to either approve or deny the merge.
SonarCloud annotates the pull request interface of the repository service, providing the results of its code analysis on the pull request branch right in the interface and granting or denying approval of the pull request depending on quality gate criteria. In effect, this augments human code review with automatic code review. This feature is often referred to as pull request decoration because it "decorates" the pull request interface with additional information.
In the Codebase
Code analysis at the editor and pull request level helps to identify problems before they are merged into the main codebase. However, there are some types of issues and hotspots that can only be found after the code is merged. To find these types of problems, SonarCloud needs to analyze the entire codebase as a single unit and (in the case of some languages) also analyze the results of compiling the code. To do this SonarCloud offers two approaches: automatic analysis and CI-based Analysis.
With automatic analysis, SonarCloud detects every time that a pull request is merged and analyzes the new state of the code in your repository. It uses the same set of analysis methods as CI-based analysis (see below) but it is subject to two restrictions:
- It only works with GitHub.
- It does not work on repositories with multiple bindings (monorepo strategy).
- It only works on a subset of the standard SonarCloud supported languages. In particular, it does not work with compiled languages such as Java and C/C++.
However, if you are using GitHub and your project is in a language that is supported by automatic analysis, then there is no further configuration needed for analysis to occur. For details, see Automatic Analysis.
The automatic analysis employs the full power of SonarCloud's static analysis tools, but because it does not work with providers other than GitHub nor with compiled languages, there are many cases where you will need to configure CI-based analysis instead.
CI-based analysis refers to the configuration of SonarCloud so that it performs analysis as part of your regular continuous integration (CI) process, in other words, your build process.
To enable CI-based analysis you have to install and configure a piece of software called a scanner. SonarCloud offers scanner extensions and integrations for all of the leading continuous integration (CI) systems used today.
Typically, the scanner is configured to run as part of your continuous integration pipeline so that whenever your build process is triggered, the scanner is invoked and performs a scan on the code.
The details of how SonarCloud is integrated with your CI process depend on which build tools and the continuous integration system you use. SonarCloud provides custom integrations for the following:
- GitHub Actions
- Bitbucket Pipelines
- Azure Pipelines
Additionally, SonarCloud also offers a stand-alone command-line tool (called SonarScanner) that you can install and integrate into your build process manually.
The results of the scan are sent automatically to SonarCloud where they are processed and made available in the dashboard (i.e., the SonarCloud interface itself). There you will find all the results of all code analyzed in your repositories. You can sort and filter the results according to a wide range of criteria in order to get a clear picture of the state of your code.
Additionally, the outcome of the SonarCloud analysis can be used to control subsequent build actions such as automatic deployment, etc.
Old Code vs New Code
While SonarCloud does provide an overall picture of the quality of your entire codebase, it focuses on highlighting issues found on incoming changes as they arrive. This strategy is tied to a principle of coding referred to as "clean as you code". The idea behind this principle is that the efforts of a software development team in remediating code issues should always be focussed on preventing issues in incoming new code and fixing issues in the areas where those new changes occur, as opposed to digging through old code for the sole purpose of finding issues. In most software projects the natural progress of change will eventually touch the entire codebase, so remediation will even encompass the entire body of the code in any case.