Introduction

Software development teams strive to deliver high-quality code that is free from bugs, vulnerabilities, and performance issues. πŸ’ͺ To ensure code quality, it's essential to incorporate a reliable code analysis tool into the development process. SonarQube, coupled with AWS CodePipeline, provides a powerful solution for continuous code quality assessment and improvement. 🎯

Table of contents

Introduction to SonarQube and AWS CodePipeline πŸ“š
Setting up SonarQube in AWS πŸ”§
Configuring AWS CodePipeline for SonarQube integration πŸ”—
Run the CodePipeline πŸš€
Conclusion πŸŽ‰

Introduction to SonarQube and AWS CodePipeline πŸ“š

SonarQube is an open-source platform that performs static code analysis to detect bugs, security vulnerabilities, code smells, and other code quality issues. It offers a comprehensive set of rules and metrics to evaluate the health of your codebase. There is also a paid version with additional features available.

AWS CodePipeline, on the other hand, is a fully managed continuous integration and continuous delivery (CI/CD) service provided by AWS. It helps automate the software release process by building, testing, and deploying applications.

Setting up SonarQube in AWS πŸ”§

Before integrating SonarQube with AWS CodePipeline, you need to set up SonarQube in your AWS environment. You can follow my guide on how to setup SonarQube on AWS ECS:

Transform Your Code Quality With SonarQube On AWS ECS: A Comprehensive Guide
Software development is a dynamic process that involves multiple stages, from writing code to testing and deployment. Code quality plays a crucial role in software development, as it determines the overall performance and reliability of the software. Poor code quality can lead to bugs, crashes, and…
Alexander HoseAlexander Hose

Configuring AWS CodePipeline for SonarQube integration πŸ”—

CodeCommit

First, we need to take an existing CodeCommit repository or create a new one. In the root of the repository, we will create a buildspec.yml file. This file helps automate the build process by specifying the steps needed to build, test, and package your application or codebase. By version controlling the buildspec.yml file alongside your source code, you ensure reproducibility and consistency in your builds. In our case, we will use the file to trigger the analysis of the source code. The setup for the file will look like this:

version: 0.2

phases:
    install:
        commands:
            - pip3 install -q awscli --upgrade --user
            - pip3 install boto3
            - yum -q install -y jq
            - wget -qO /tmp/sonar-scanner.zip "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.7.0.2747-linux.zip"
            - unzip -q /tmp/sonar-scanner.zip -d /tmp
    pre_build:
        commands:
            - echo Start code scan...
            - ./../../../../../../../tmp/sonar-scanner-4.7.0.2747-linux/bin/sonar-scanner -Dsonar.projectKey=$SONAR_QUBE_PROJECT -Dsonar.sources=. -Dsonar.host.url=$SONAR_QUBE_URL -Dsonar.login=$SONAR_QUBE_KEY
            - sleep 7
            - "curl -s -u $SONAR_QUBE_KEY: $SONAR_QUBE_URL/api/qualitygates/project_status?projectKey=$SONAR_QUBE_PROJECT> /tmp/result.json"
            - if [ $(jq -r '.projectStatus.status' /tmp/result.json) = ERROR ] ; then CODEBUILD_BUILD_SUCCEEDING=0 ; fi
            - echo Code scan completed on `date`
            - if [ "$CODEBUILD_BUILD_SUCCEEDING" -eq 0 ]; then exit 1; fi

We can of course extend the file with further instructions on building the actual software or performing tests. Let's have a more detailed look at the instructions now. First, we install sonar scanner cli and trigger the scan. The referenced environment variables will be set later.

- echo Start code scan...
- ./../../../../../../../tmp/sonar-scanner-4.7.0.2747-linux/bin/sonar-scanner -Dsonar.projectKey=$SONAR_QUBE_PROJECT -Dsonar.sources=. -Dsonar.host.url=$SONAR_QUBE_URL -Dsonar.login=$SONAR_QUBE_KEY

Afterward, we wait for a few seconds and get the results from the API. If we get an error in the project status, we will directly cancel the execution of the pipeline.

- sleep 7
- "curl -s -u $SONAR_QUBE_KEY: $SONAR_QUBE_URL/api/qualitygates/project_status?projectKey=$SONAR_QUBE_PROJECT> /tmp/result.json"
- if [ $(jq -r '.projectStatus.status' /tmp/result.json) = ERROR ] ; then CODEBUILD_BUILD_SUCCEEDING=0 ; fi
- echo Code scan completed on `date`
- if [ "$CODEBUILD_BUILD_SUCCEEDING" -eq 0 ]; then exit 1; fi

The results from the quality gates project status endpoint will look like this:

{
   "projectStatus":{
      "status":"OK",
      "conditions":[
         {
            "status":"OK",
            "metricKey":"new_reliability_rating",
            "comparator":"GT",
            "errorThreshold":"1",
            "actualValue":"1"
         },
         {
            "status":"OK",
            "metricKey":"new_security_rating",
            "comparator":"GT",
            "errorThreshold":"1",
            "actualValue":"1"
         },
         {
            "status":"OK",
            "metricKey":"new_maintainability_rating",
            "comparator":"GT",
            "errorThreshold":"1",
            "actualValue":"1"
         }
      ],
      "ignoredConditions":false,
      "period":{
         "mode":"PREVIOUS_VERSION",
         "date":"2023-06-11T16:17:19+0000"
      },
      "caycStatus":"compliant"
   }
}

CodeBuild

Next, we need to create a new build project in CodeBuild. Here we reference the repository and branch we want to scan.

Depending on if we want to also build a docker image later, we should consider running the build in privileged mode.

We have referenced some environment variables in the buildspec file. Those can be defined in the additional configuration of the Environment:

CodePipeline

Now we can create the actual pipeline. Navigate to CodePipeline and create a new one.

Source

We need to define a source for the pipeline. Here we take the repository from earlier and choose a branch. Every time there will be a change to the branch, the pipeline will be triggered. We can keep the other configuration as default.

Build

In the build step, we can choose the CodeBuild project we created earlier.

Deploy

The deploy step can be skipped as we don't need to deploy the application anywhere. This could look different in your case.

Run the CodePipeline πŸš€

The pipeline will start automatically and we will see a successful build within a few minutes.

If we go to our SonarQube backend, we will also see information about our bugs, vulnerabilities, code smells, and hotspots.

Join our community of cloud security professionals. πŸ”

Subscribe to our newsletter

Conclusion πŸŽ‰

Implementing SonarQube with AWS CodePipeline empowers software development teams to achieve continuous code quality assessment and improvement. πŸ” Combined with the automation capabilities of AWS CodePipeline, the integration streamlines the software release process and promotes reproducibility and consistency in builds. πŸ”„ Contributing to the delivery of high-quality code. πŸ’― With SonarQube and AWS CodePipeline, teams can elevate their code quality standards and enhance the overall development process. πŸ“ˆ

Share this post