Using SonarQube.com with Travis CI
SonarQube.com is a cloud service offered by SonarSource and based on SonarQube. SonarQube is a widely adopted open source platform to inspect continuously the quality of source code and detect bugs, vulnerabilities and code smells in more than 20 different languages.
Please refer to the SonarQube documentation for more details on how to configure different scanners.
You are using one of the two following environments:
- CI Environment with JVM VM image - for instance:
Inspecting code with the SonarQube Scanner
Before inspecting your code, you need to:
- Create a user authentication token for your account on SonarQube.com.
- Encrypt this token
travis encrypt abcdef0123456789or define
SONAR_TOKENin your Repository Settings
- Find which SonarQube.com organization you want to push your project on and get its key
- Create a
sonar-project.propertiesfile for your project (see the documentation).
Then add the following lines to your
.travis.yml file to trigger the analysis:
addons: sonarqube: organization: "sonarqube_com_organization_key" # the key of the org you chose at step #3 token: secure: ********* # encrypted value of your token script: # other script steps might be done before running the actual SonarQube analysis - sonar-scanner
Please take a look at the live example project to know more about this standard use case.
SonarQube Scanner for Maven
Lots of Java projects build with Maven. To add a SonarQube inspection to your Maven build, add the following to your
addons: sonarqube: organization: "sonarqube_com_organization_key" # the key of the org you chose at step #3 token: secure: ********* # encrypted value of your token script: # the following command line builds the project, runs the tests with coverage and then execute the SonarQube analysis - mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install sonar:sonar
Please take a look at the live Maven-based example project to know more about this use case.
Activation for branches
By default, the SonarQube.com add-on only analyzes the master branch. Activate it on other branches by specifying them in the
addons: sonarqube: organization: "sonarqube_com_organization_key" token: secure: ********* branches: - master - maintenance script: - sonar-scanner
branches accepts a list of regular expressions.
Note that currently, each branch ends up being a dedicated project on SonarQube.com.
Activation for pull requests
SonarQube.com can inspect internal pull requests of your repository and write comments on each line where issues are found.
For security reasons, this advanced feature works only for internal pull requests. In other words, pull requests built from forks won’t be inspected.
To activate analysis on pull requests, you need to follow those extra steps:
- Generate a personal access token for the GitHub user which will be used by SonarQube.com to write the comments.
- Requirements for that token are listed on that page.
- Encrypt this token.
- Add it to your
addons: sonarqube: organization: "sonarqube_com_organization_key" token: secure: ********* github_token: secure: ********* script: - sonar-scanner
Next versions of this add-on will provide the following features:
- No need to define a third-party GitHub user for pull request analysis.
- Support for external pull requests.