Pages

Courses

ALL COURSES

Resources

ALL RESOURCES

Blogs

ALL BLOGS

SonarQube Boot Camp

Quickly learn how to perform powerful static analysis that finds bugs, vulnerabilities, and code smells in this lab-intensive SonarQube training.

Your business and career depend on your ability to produce secure, reliable, and error-free code quickly. But code is never perfect, even if it’s been thoroughly reviewed, backed by a complete suite of tests, or thoroughly vetted by your quality assurance team.

That’s where SonarQube can help. SonarQube is a fully automated source code analysis tool that can integrate into your existing development processes and immediately reap the benefits of powerful static analysis that finds bugs, vulnerabilities, and code smells in each build. It produces interactive reports for each build and stores them in projects so you can easily track issues as you work.

This two-day SonarQube course starts with how to build a SonarQube server. Then, it covers how to set up source code analysis with a sample project. You’ll learn how to analyze a build and then customize the analysis for your project’s needs. Finally, you’ll integrate source code analysis into a Jenkins build server.

You’ll finish this course with the knowledge of how to set up SonarQube, integrate it into your development process, and use its reports to improve your code. 

Duration
2 days/16 hours of instruction
Public Classroom Pricing

$1595(USD)

GSA Price: $1485

Group Rate: $1495

Private Group Pricing

Have a group of 5 or more students? Request special pricing for private group training today.

Download the Course Brochure

Part 1: Introduction to SonarQube

  1. What is SonarQube?
  2. Overview of SonarQube's Different Editions, Licenses, and Costs
  3. Exercise: Run the SonarQube Docker image and take a tour of the SonarQube UI.
    1. The Docker image will run in demo mode.
    2. Log in with the default user.
    3. Change the admin password on the next screen.
      1. Visit the top-level menu areas:
      2. Projects: SonarQube will create projects as required, or they can be created via the administration area.
      3. Issues: This is where deficiencies in code are tracked.
      4. Rules: Rules are configurable to for code scans.
      5. Quality Profiles/Quality Gates: These are configurable sets of rules for evaluating projects.
      6. Administration: This is where you can configure SonarQube.

Part 2: Installation and Basic Administration

  1. How to Install and Run SonarQube From Docker
    1. Run with embedded H2 database, and map data to external partitions.
    2. Run with an external database, such as a PostgreSQL Container.
    3. Run with docker-compose and use it to map data partitions and run a database container.
  2. Exercise: Install SonarQube with docker-compose with a PostgreSQL container.
  3. Administer SonarQube
    1. General settings
      1. Email
      2. SMTP host/port
      3. SSL
      4. Base URL
    2. Add users and groups
    3. Overview of permissions and permissions templates
  4. Plugins
    1. Installing a plugin from the marketplace
    2. Installing a plugin from a file
    3. Exercise: Install a plugin.

Part 3: Analyzing Code

  1. Overview of Analyzing Code With SonarQube
    1. How analysis is performed:
      1. Scanner requests data from the server
      2. Scanner examines files
      3. Results are uploaded to the server
      4. Server stores analysis in a project; if required, a new project is created
    2. Review different scanners and how they are configured and used
      1. Gradle
      2. .NET
      3. Maven
      4. Jenkins
      5. Azure
      6. Ant
      7. CLI
    3. Discuss the limitations of the community edition versus the developer edition
      1. Analyze branches in developer edition
      2. Analyze pull requests in developer edition
  2. Create a SonarQube Project and Get a Key for a Scanner
    1. Add a project, or allow SonarQube to create one
    2. Add users
    3. Restrict user to specific projects
    4. Set analysis scope
      1. Adjust file patterns so SonarQube analyzes only the file you want
      2. Adjust directory patterns
      3. Specify files to be ignored
    5. How to generate a token for a scanner
    6. Exercise: Create a project.
      1. Add an unprivileged user.
      2. Create a project.
      3. Associate new user with the new project.
      4. Log in as the new user and generate a scanner token.
  3. Exercise: Perform a scan from Gradle.
    1. Fork sample projects from SonarQube's GitHub.
    2. Check out the project and configure Gradle for the SonarQube server and the token from the previous exercise.
    3. Run a scan and view results.
    4. Introduce new code with errors into the project.
    5. Run a scan and view new results.
  4. View Report Results
    1. Report overview page
      1. New code/overall code tabs
      2. Bugs, vulnerabilities, security hot spots, and technical debt
    2. Drill down into issue details
    3. View issue descriptions
    4. View issues in-line with code
    5. Exercise: Fix an issue from the previous project and run a new scan.
  5. SonarQube Scanning Rules
    1. View rules for different languages
    2. Exercise: Alter or add a scanning rule.
      1. Alter or add a scanning rule that will trigger an error in the project.
      2. Rerun the analysis and view the issue.
      3. Fix the issue, and run a new scan.
  6. SonarQube Quality Profiles and Quality Gates
    1. View quality profiles
    2. View quality gates
    3. Exercise: Fix a build that fails a quality gate.
      1. Introduce a bug that will fail a quality gate.
      2. Run scan and view results.
      3. Reverse big and run a new scan.

Part 4: CI Integration

  1. Overview of Jenkins and Jenkins Integration With SonarQube
    1. Exercise: Set up Jenkins integration.
      1. Run Jenkins Docker container.
      2. Perform basic Jenkins configuration.
        1. Users
        2. Git repo
      3. Install and configure the SonarQube plugin.
      4. Set up a Jenkins job using the SonarQube plugin.
      5. Run an analysis.

Part 5: SonarLint

  1. Overview
    1. Exercise: Install SonarLint in an editor such as IntelliJ and modify some code.

Part 6: Putting It All Together

  1. Overview of SonarQube CI workflow: Code, Commit, Build, Analyze
    1. Exercise: Integrate SonarQube into a CI workflow.
      1. Set up automatic build with analysis.
      2. Add code that will trigger a warning.
      3. Commit and push.
      4. Review report.
      5. Fix error.
      6. Commit and push.
      7. Review report.
      8. Repeat as needed.

Professionals who may benefit include:

  • Security Administrators
  • Any Security Staff
  • System Administrators
  • DevOps Practitioners
  • IT Operations Staff
  • Release Engineers
  • Configuration Managers
  • Anyone involved with IT infrastructure
  • Developers and Application Team leads
  • ScrumMasters
  • Software Managers and Team Leads

  • Run the SonarQube Docker image and take a tour of the SonarQube UI. 
  • Run with embedded H2 database, and map data to external partitions.
  • Run with an external database, such as a PostgreSQL Container.
  • Run with docker-compose and use it to map data partitions and run a database container.
  • Create a SonarQube Project and Get a Key for a Scanner 
  • Perform a scan from Gradle. 
  • Fix an issue in a SonarQube project and run a new scan.
  • Alter or add a scanning rule. 
  • Fix a build that fails a quality gate. 
  • Set up Jenkins integration. 
  • Install SonarLint in an editor such as IntelliJ and modify some code.
  • Integrate SonarQube into a CI workflow. 

SonarQube Boot Camp Schedule

Delivery
Date
Register
There are currently no scheduled classes for this course. Please contact us if you would like more information or to schedule this course for you or your company.

Request Private Group Training