What SonarCloud can do
SonarCloud identifies both issues and security hotspots in your code.
In SonarCloud terminology, an issue is a problem in your code that requires fixing. When scanning for issues, SonarCloud's algorithms are purposely conservative. They are designed to minimize the number of false positives, that is, things wrongly identified as problems. If SonarCloud identifies an issue, you can be quite confident that it really is something that should be fixed. SonarCloud will not overwhelm the developer with false alarms concerning issues.
Issues are grouped into three types:
- Bugs: These are errors in the code that can prevent the program from operating as intended. They affect code reliability.
- Vulnerabilities: These are problems in the code that could be exploited by a bad actor to compromise the security of the application.
- Code Smells: These are characteristics of the code that, while not actually preventing the proper functioning of the program, may indicate deeper problems that negatively affect the maintainability of the code. Early identification of these types of issues can help to alleviate technical debt in the application.
Security hotspots are areas of the code that may cause security issues and therefore need to be reviewed. By design, SonarCloud is more permissive when identifying security hotspots than when identifying vulnerabilities and other issues. An issue is almost always a real problem, while a security hotspot can often be a false alarm (but it is still worth checking). By separating hotspots from issues, SonarCloud maintains the accuracy of its issue detection while still providing developers with useful warnings under the less stringent criteria of the hotspot.
Where SonarCloud fits In
SonarCloud is designed to be integrated into your CI/CD workflow in order to intervene early when coding, allowing you to remediate fresh issues rapidly and prevent them from reaching production. It does so in three different places: In the IDE, in the pull request, and in the codebase.
In the IDE
SonarCloud's companion product, SonarLint, provides developers with immediate feedback right in the IDE, catching issues before they even get to the repository.
SonarLint is the first line of defense to find and fix issues in real time, ensuring the quality of the code and enhancing productivity.
Supporting 25 languages and the most popular IDEs, SonarLint leverages over 5,000 language-specific Clean Code rules to instantly highlight common coding mistakes and vulnerabilities. In parallel, SonarLint provides rich contextual educational guidance to help developers improve their skills while resolving the issue.
Sonar's IDE extensions are available for IntelliJ (and other JetBrains IDEs including IntelliJ IDEA, CLion, WebStorm, PHPStorm, PyCharm, Rider, Android Studio & RubyMine), Visual Studio, VS Code, and Eclipse, and can be installed directly from your IDE's plugin marketplace.
Much like a spellchecker, SonarLint highlights problems in your code using error squiggles, provides quick fixes, and gives you detailed information about issues found in your code.
In Connected Mode, SonarLint becomes part of the full Sonar solution that integrates code analysis throughout your development process from IDE to CI pipeline to DevOps platform, helping to make sure that only Clean Code makes it into your project. For more information, see Catching issues in the IDE with SonarLint.
In the pull request
Pull requests (on some platforms, called "merge requests") are a mechanism to allow developers to collaborate more effectively. They enable a developer to ask others to review their work (usually their personal feature branch) prior to it being merged into the main body of the code (often the master branch). In the DevOps platform, the pull request is displayed in a dedicated interface that allows the reviewer to see the changes proposed and to either approve or deny the merge.
SonarCloud annotates the pull request interface of the repository service, providing the results of its code analysis on the pull request branch right in the interface and granting or denying approval of the pull request depending on quality gate criteria. In effect, this augments human code review with automatic code review. This feature is often referred to as pull request decoration because it "decorates" the pull request interface with additional information.
In the codebase
Code analysis at the IDE and pull request level helps to identify problems before they are merged into the main codebase. However, there are some types of issues and hotspots that can only be found after the code is merged. To find these types of problems, SonarCloud needs to analyze the entire codebase as a single unit and (in the case of some languages) also analyze the results of compiling the code. To do this, SonarCloud offers two approaches: automatic analysis and CI-based analysis.
With automatic analysis, SonarCloud detects every change to your pull requests or main branch and analyzes the new state of the code in your repository. It uses the same set of analysis methods as CI-based analysis (see below) but it is subject to two restrictions:
- It only works with GitHub (as of today).
- It does not work on repositories that were imported as monorepos into SonarCloud.
- It does not work on all SonarCloud-supported languages. In particular, it does not work with C/C++.
However, if you are using GitHub and the project you imported is in a language that is supported by automatic analysis, then no configuration is needed for analysis to occur so you can start improving your code quality right away. For details, see Automatic Analysis.
As automatic analysis does not work with providers other than GitHub or with certain compiled languages, there are many cases where you will need to configure CI-based analysis instead.
CI-based analysis refers to the configuration of SonarCloud so that it performs analysis as part of your regular continuous integration (CI) process, in other words, your build process.
To enable CI-based analysis you have to install and configure a piece of software called a scanner. SonarCloud offers scanner extensions and integrations for all of the leading continuous integration (CI) systems used today.
Typically, the scanner is configured to run as part of your continuous integration pipeline so that whenever you push changes to your repository, the scanner is invoked and performs a scan on the code.
The details of how SonarCloud is integrated with your CI/CD process depend on which build tools and the continuous integration system you use. SonarCloud provides custom integrations for the following:
- GitHub Actions
- Bitbucket Pipelines
- Azure Pipelines
Additionally, SonarCloud also offers a stand-alone command-line tool (called SonarScanner) that you can install and integrate into your build process manually.
The results of the scan are sent automatically to SonarCloud where they are processed and made available in the dashboard, that is, the SonarCloud interface itself. There you will find all the results of all code analyzed in your repositories. You can sort and filter the results according to a wide range of criteria in order to get a clear picture of the state of your code.
Additionally, the outcome of the SonarCloud analysis (in both automatic and CI-based analyses) can be used to control subsequent build actions such as automatic deployment, etc.