SonarQube is an Open Source tool for continuous inspection of code quality. SonarQube has a collection of rules to analyze your source code at compile time to identify potential vulnerabilities, bugs, anti-patterns, refactoring and poor coding practices.
In my earlier article, I mentioned about integrating SonarQube with your TFS CI/CD build and rejecting code check ins when Quality Gates are not met –
SonarQube – Rejecting Code Check-in when Quality Gates are not met
One of the questions I received in an online forum was around Quality Gates and how to set it up. In this article, I will provide more insights about Quality Gates – what it is, the benefits of having it in place and how you can set it up while configuring SonarQube In your application.
What is a Quality Gate?
Quality Gates are the best way to ensure that standards are met and regulated across all the projects in your organization.Quality Gates can be defined as a set of threshold measures set on your project like Code Coverage, Technical Debt Measure, Number of Blocker/Critical issues, Security Rating/ Unit Test Pass Rate and more.
To pass the Quality Gates, the project should pass through each of the thresholds set.
When SonarQube runs it will identify if the code meets all the quality thresholds you have set – else it will fail the Quality Gate and will not allow you to check in code to source control. This is a very powerful feature since it enforces code quality in your projects and automates the process.
How to setup your Quality Gates?
By default, a quality gate called as ‘SonarQube way’ is activated and applied to all your projects. You can also create new Quality Gates for your projects and define customized thresholds.
In a practical world, different projects will have different criteria’s – so you might want to create separate Quality Gates for your individual projects and verify the conditions.
Based on your projects, you can set up the metrics in your Quality Gate to explicitely throw a Warning or Error when the code crosses a threshold.
If you have any questions about setting up SonarQube in your applications, please let me know by adding a comment below. I would be happy to help and share my experience.
I am appending to this article to respond back to the comments on this blog.
If the Quality Gate fails while running the SonarQube stage in your CI/CD Pipeline, you can navigate to the SonarQube UI and see the exact cause of the Quality Gate failure. Please see below the screenshot from one of the failed Quality Gate instances on one of my application —
Start a 10-day FREE trial at Pluralsight – Over 5,000 courses available
SonarQube – Issues with Cyclomatic Complexity Metrics 
Keeping your Technical Debt in check with NDepend 
SonarQube – Rejecting Code Check-in when Quality Gates are not met 
SonarQube 6.5 – Code Coverage Result is not displayed 
samirbehara 
For every project, I have two options in quality gate option
1. Default
2.sonar way
What is the difference between two?
I have no custom quality gates
LikeLiked by 1 person
Sonarway is the one provided by Sonar as standard one.
You can make Sonarway as Default or you ca create your own gate and make as a default.
Whicheves gate is marked as default will be assigned automatically to a project for which no quality gate is assigned manually.
LikeLiked by 1 person
Jyotsna – You can create new Quality Gates for your projects and define customized thresholds which you want for your application.
LikeLike
I have same issue 😦
LikeLiked by 1 person
Rony – Can you elaborate on the issue which you are seeing? I will assist you.
LikeLike
I have two Quality Gates, whenever I run the analysis on a project and there is a failure on a Quality gate, it shows Failed but it does not give show me, or give me any options to see, the cause of the errors
LikeLiked by 1 person
Thor — I have added a screenshot to my blog showing a Failed Quality Gate instance from one of my applications. Clicking on any of the failed section, should show you the exact error details. Please check and let me know if you have any further questions.
LikeLike
Created quality gate, but still showing project as passed. Not sure why?
LikeLike
we are created quality gates up to 80 percent quality gates failed but the build is get passed i don’t know where the exact issue in VSTS can you please help on this.Quality gate failed the build also get failed how should i do that
LikeLike
I have 3 custom Quality Gates in SonarQube. How can i run the SonarQube so that my project uses one of my custom Quality Gate?
Is it possible to pass the name of Quality Gate which need to be used through cli?
LikeLike
Would it be possible to show how you would setup a SQ scan using Jenkins Pipeline?
LikeLike
Also important to know his how to set up what constitutes “new code”. This is configured under Administration : Configuration : New Code : New Code Period. Obviously you’ll need admin rights to access the Administration page.
LikeLike
The issue I am facing is that even though I have spec files, the coverage in the sonar report shows 0%. I am not sure if I am missing any config which tells sonar to pick the spec files.
LikeLike
This is really an important topic to share, thank you very much for choosing this topic. I really enjoyed reading your content, very impressive… I really loved the points you have shared here, thanks for giving your effort for creating such an incredible blog!
LikeLike
This is really an important topic to share, thank you very much for choosing this topic. I really enjoyed reading your content, very impressive… I really loved the points you have shared here, thanks for giving your effort for creating such an incredible blog!
LikeLike
Hi,
I have created new quality gate profile, which was enabled in Jenkins pipeline as sonar scan tool. I m enabling VTF option I triggered the pipeline build was completed but sonar phase is failed error: timed out in logs. Quality gate also failed. Could you please help how to change the configurations to get it Quality gate pass.
LikeLike
Hi,
I have added custom BPMN and DRL rules and added the respective Jars in sonar server. I am able to see the rules added in Dashboard but when I am scanning the project, it is taking Quality profiles for JAVA and XML languages only. I have created a custom profile with these BPMN,DRL rules and made it as default one but still the project is taking JAVA and XML sonarway (default Quality profiles). Can anyone help me what needs to be done to scan the project with these newly added BPMN & DRL rules.
LikeLike
what are standards to defile Quality gates to a project like ex: number of Bugs, vulnerabilities and duplications percentage.
LikeLike
Hello
I’ ve a project in react /java script which is currently using default quality profile.
I’d like to add additional profiles in sonar qube . Ideally a custom profile.
Any pointers would be helpful.
Thanks
LikeLike