To analyze code quality using SonarQube and integrate it into a CI/CD pipeline.
SonarQube is a tool that:
👉 It uses static analysis (no execution required)
| Term | Meaning | |—|—| | Bug | Code that may fail | | Vulnerability | Security risk | | Code Smell | Bad coding practice | | Quality Gate | Pass/fail check | | Technical Debt | Effort to fix issues | | Coverage | Tested code % | | Duplication | Repeated code |
According to the diagram: Code → Scanner → SonarQube Server → Database → Dashboard
👉 Both are required: | Setup | Result | |—|—| | Only Server | No analysis | | Only Scanner | No storage | | Both | Works |
Flow: Generate Token → Pass to Scanner → Server verifies → Stores results 👉 Token = secure login (not password)
We start SonarQube and PostgreSQL.
docker-compose up -d
docker logs -f sonarqube
Open: http://localhost:9000

First, ensure you have some code with bugs (Division by zero, SQL injection, unused variables). Then run the scanner against your code using the token generated from SonarQube.
Option 1: Maven
mvn sonar:sonar -Dsonar.login=YOUR_TOKEN
Option 2: CLI (Docker)
docker run -e SONAR_HOST_URL="http://localhost:9000" -e SONAR_LOGIN="YOUR_TOKEN" -v "${PWD}:/usr/src" sonarsource/sonar-scanner-cli

Open: http://localhost:9000 You’ll see: Bugs, Vulnerabilities, Code Smells, Quality Gate.
Example Dashboard:

You can query issues programmatically using the SonarQube API.
curl -u admin:YOUR_TOKEN "http://localhost:9000/api/issues/search"

Pipeline Flow: Checkout → Scan → Build → Deploy
We updated the Jenkinsfile from Lab 7 to include a new stage for SonarQube. This ties both labs together!
Important Code Snippet added to Lab 7 Jenkinsfile:
stage('SonarQube Analysis') {
steps {
sh 'docker run --rm -v "${WORKSPACE}:/usr/src" sonarsource/sonar-scanner-cli -D"sonar.projectKey=Angel0606" -D"sonar.sources=." -D"sonar.host.url=http://host.docker.internal:9000" -D"sonar.login=sqp_ce674dd3b90e9f769eb1a806a73f1fb65a2f109c"'
}
}
👉 Jenkins intercepts the code, executes the scanner locally, and visually displays whether the code allowed the pipeline to proceed to Docker Hub!

| Tool | Purpose | |—|—| | Jenkins | CI/CD | | SonarQube | Code quality | | Ansible | Config management | | Chef | Infra automation |
SonarQube = “System that checks your code quality before it is deployed.”
Now your learning stack is: Docker → Compose → Kubernetes → Jenkins → SonarQube 👉 This is complete DevOps pipeline knowledge!