SonarQube Overview and Deployment

SonarQube

Overview

SonarQube is an open-source platform used for continuous inspection of code quality.
it does testing of code before build . It performs automatic code reviews with static analysis to detect:

  • Bugs
  • Code smells
  • Vulnerabilities
  • Duplications

It supports multiple programming languages such as Java, C#, JavaScript, Python, Go, and more.

  • Bugs: Errors in the code that can cause incorrect functionality, crashes, or unexpected behavior.
  • Code Smells: Poor coding practices or patterns that don’t break functionality but reduce maintainability and readability.
  • Security Vulnerabilities: Weaknesses in code that attackers can exploit, such as SQL injection, XSS, or hardcoded passwords.
  • Duplications: Repeated blocks of code that make maintenance harder and increase the risk of inconsistencies.

Key Features

  • Code Quality & Security: Identifies bugs, vulnerabilities, and security hotspots.
  • Multi-language Support: Works with over 25+ programming languages.
  • Integration with CI/CD: Seamlessly integrates with Jenkins, GitLab CI, GitHub Actions, Azure DevOps, and others.
  • Quality Gates: Ensures code meets defined quality standards before merging.
  • Dashboards & Reports: Provides detailed project health metrics and visualizations.
  • Extensible via Plugins: Supports extensions for SCM, IDEs, and build tools.

Architecture

  1. SonarQube Server

    • Hosts the dashboard and analysis results.
    • Manages the database with historical code quality data.

  2. SonarScanner

    • CLI tool that analyzes source code and sends results to the server.
    • Can be run manually or integrated into CI/CD pipelines.

  3. Database

    • Stores code quality metrics, history, and configuration.
    • Common choices: PostgreSQL, MySQL, SQL Server, Oracle.

Installation

Prerequisites

  • Java 17+
  • Database (PostgreSQL recommended)
  • 2 GB+ RAM

Installation with Docker Compose

Running SonarQube with Docker Compose makes setup easier by managing both SonarQube and PostgreSQL together.

Step 1: Create a docker-compose.yml

version: "3"

services:
  postgres:
    image: postgres:13
    container_name: postgres
    environment:
      POSTGRES_USER: sonar
      POSTGRES_PASSWORD: sonar
      POSTGRES_DB: sonarqube
    volumes:
      - postgres_data:/var/lib/postgresql/data

  sonarqube:
    image: sonarqube:lts-community
    container_name: sonarqube
    depends_on:
      - postgres
    environment:
      SONARQUBE_JDBC_URL: jdbc:postgresql://postgres:5432/sonarqube
      SONARQUBE_JDBC_USERNAME: sonar
      SONARQUBE_JDBC_PASSWORD: sonar
    ports:
      - "9000:9000"
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_logs:/opt/sonarqube/logs
      - sonarqube_extensions:/opt/sonarqube/extensions

volumes:
  postgres_data:
  sonarqube_data:
  sonarqube_logs:
  sonarqube_extensions:

Start the container

docker-compose up -d

Access SonarQube

Open http://localhost:9000
 in your browser.

Default credentials:
Username: admin
Password: admin

SonarQube Editions

SonarQube is available in four editions:

1. Community Edition (Free)

  • Cost: Free (open source)
  • Best for: Small teams, personal projects, learning environments
  • Key Features:
    • Static code analysis for 15+ programming languages
    • Detection of bugs, code smells, and vulnerabilities
    • Basic Quality Gates and reports
    • Integrations with CI/CD tools (Jenkins, GitLab CI, etc.)
    • Basic web-based dashboards

2. Developer Edition

  • Cost: Paid (subscription)
  • Best for: Growing teams and organizations that need deeper insights
  • Additional Features:
    • Support for 20+ programming languages (including C, C++, Objective-C, Swift, and T-SQL)
    • Branch analysis (track quality on feature branches)
    • Pull Request decoration in GitHub, GitLab, Bitbucket, and Azure DevOps
    • Advanced issue detection (security hotspots, more code patterns)
    • Reports on technical debt and maintainability

3. Enterprise Edition

  • Cost: Paid (higher tier)
  • Best for: Large organizations with multiple teams/projects
  • Additional Features:
    • Portfolio Management: Aggregate code quality across projects
    • Governance dashboards for executive-level visibility
    • Project baseline management (manage technical debt over time)
    • Advanced reporting (trends, compliance)
    • Scales for large deployments

4. Data Center Edition

  • Cost: Premium (highest tier)
  • Best for: Enterprises requiring high availability and scalability
  • Additional Features:
    • All features of Enterprise Edition
    • Clustered deployment for high availability (HA)
    • Horizontal scalability with multiple nodes
    • Disaster recovery and business continuity
    • Ideal for mission-critical enterprise environments

Quick Comparison

FeatureCommunityDeveloperEnterpriseData Center
PriceFreePaidPaidPaid
Languages (Java, JS, etc.)βœ”βœ”βœ”βœ”
C, C++, Swift, T-SQLβœ˜βœ”βœ”βœ”
Branch Analysisβœ˜βœ”βœ”βœ”
Pull Request Decorationβœ˜βœ”βœ”βœ”
Portfolio Managementβœ˜βœ˜βœ”βœ”
High Availability (HA)βœ˜βœ˜βœ˜βœ”

πŸ‘‰ For most small teams, Community Edition is enough.
πŸ‘‰ Enterprises usually choose Enterprise or Data Center Edition for scalability, compliance, and governance.