SonarQube
SonarQube adalah platform untuk Continuous Inspection yang digunakan
untuk mengukur kualitas kode, menemukan bug, vulnerability, dan code
smells dalam berbagai bahasa pemrograman.
Ringkasan Perbandingan dengan tools scanner lainnya
| Fitur | SonarQube | Tools Lain |
|---|---|---|
| Multi bahasa | ✔ | ❌ / terbatas |
| Quality Gate | ✔ | ❌ |
| Dashboard lengkap | ✔ | ❌ |
| Security + Quality analysis | ✔ | ❌ (biasanya salah satu) |
| Integrasi CI/CD | ✔ | ✔ (tapi terbatas) |
| Custom rules | ✔ | ❌ |
| Bisa self-hosted | ✔ | ❌ |
| PR/MR decoration | ✔ | ✔ (di beberapa) |
Instalasi SonarQube Menggunakan Docker
** Docker Compose**
Buat file docker-compose.yml:
version: '3'
services:
sonarqube:
image: sonarqube:lts
container_name: sonarqube
ports:
- "9000:9000"
environment:
- SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
volumes:
sonarqube_data:
sonarqube_extensions:
Jalankan:
docker-compose up -d
Akses SonarQube:
http://localhost:9000 User: admin Pass: admin
Instalasi SonarQube di VM (Manual)
Install Java 17:
apt install openjdk-17-jdk -y
Download SonarQube:
wget https://binaries.sonarsource.com/.../sonarqube-*.zip
unzip sonarqube-*.zip
Buat user:
adduser sonar
Jalankan SonarQube:
cd sonarqube/bin/linux-x86-64
./sonar.sh start
Integrasi SonarQube dengan Jenkins
Install Plugin SonarScanner di Jenkins
- Masuk Jenkins → Manage Plugins → SonarQube Scanner
Add Server SonarQube
- Manage Jenkins → Configure System → SonarQube Servers\
- Tambahkan:
- Name:
SonarQube - Server URL:
http://sonarqube:9000 - Token: (generate dari SonarQube)
- Name:
Install SonarScanner
- Manage Jenkins → Global Tool Configuration → SonarQube Scanner
Pipeline Jenkinsfile
Tambahkan stage scanning:
stage('SonarQube Analysis') {
steps {
withSonarQubeEnv('SonarQube') {
sh '''
sonar-scanner -Dsonar.projectKey=myapp -Dsonar.sources=src -Dsonar.java.binaries=target
'''
}
}
}
Quality Gate Wait
stage("Quality Gate") {
steps {
timeout(time: 2, unit: 'MINUTES') {
waitForQualityGate abortPipeline: true
}
}
}
Integrasi CI/CD End-to-End
- Developer push code
- Jenkins pull repository
- Jenkins run unit test
- Jenkins run SonarQube scan
- SonarQube analisis code quality
- Jika Quality Gate PASS → Lanjutkan deploy