SonarQube Overview and Deployment

SonarQube

Overview

SonarQube is an open-source platform used for continuous inspection of code quality.
it does testing of code before build . It performs automatic code reviews with static analysis to detect:

  • Bugs
  • Code smells
  • Vulnerabilities
  • Duplications

It supports multiple programming languages such as Java, C#, JavaScript, Python, Go, and more.

  • Bugs: Errors in the code that can cause incorrect functionality, crashes, or unexpected behavior.
  • Code Smells: Poor coding practices or patterns that don’t break functionality but reduce maintainability and readability.
  • Security Vulnerabilities: Weaknesses in code that attackers can exploit, such as SQL injection, XSS, or hardcoded passwords.
  • Duplications: Repeated blocks of code that make maintenance harder and increase the risk of inconsistencies.

Key Features

  • Code Quality & Security: Identifies bugs, vulnerabilities, and security hotspots.
  • Multi-language Support: Works with over 25+ programming languages.
  • Integration with CI/CD: Seamlessly integrates with Jenkins, GitLab CI, GitHub Actions, Azure DevOps, and others.
  • Quality Gates: Ensures code meets defined quality standards before merging.
  • Dashboards & Reports: Provides detailed project health metrics and visualizations.
  • Extensible via Plugins: Supports extensions for SCM, IDEs, and build tools.

Architecture

  1. SonarQube Server

    • Hosts the dashboard and analysis results.
    • Manages the database with historical code quality data.

  2. SonarScanner

    • CLI tool that analyzes source code and sends results to the server.
    • Can be run manually or integrated into CI/CD pipelines.

  3. Database

    • Stores code quality metrics, history, and configuration.
    • Common choices: PostgreSQL, MySQL, SQL Server, Oracle.

Installation

Prerequisites

  • Java 17+
  • Database (PostgreSQL recommended)
  • 2 GB+ RAM

Installation with Docker Compose

Running SonarQube with Docker Compose makes setup easier by managing both SonarQube and PostgreSQL together.

Step 1: Create a docker-compose.yml

version: "3"

services:
  postgres:
    image: postgres:13
    container_name: postgres
    environment:
      POSTGRES_USER: sonar
      POSTGRES_PASSWORD: sonar
      POSTGRES_DB: sonarqube
    volumes:
      - postgres_data:/var/lib/postgresql/data

  sonarqube:
    image: sonarqube:lts-community
    container_name: sonarqube
    depends_on:
      - postgres
    environment:
      SONARQUBE_JDBC_URL: jdbc:postgresql://postgres:5432/sonarqube
      SONARQUBE_JDBC_USERNAME: sonar
      SONARQUBE_JDBC_PASSWORD: sonar
    ports:
      - "9000:9000"
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_logs:/opt/sonarqube/logs
      - sonarqube_extensions:/opt/sonarqube/extensions

volumes:
  postgres_data:
  sonarqube_data:
  sonarqube_logs:
  sonarqube_extensions:

Start the container

docker-compose up -d

Access SonarQube

Open http://localhost:9000
 in your browser.

Default credentials:
Username: admin
Password: admin

SonarQube Editions

SonarQube is available in four editions:

1. Community Edition (Free)

  • Cost: Free (open source)
  • Best for: Small teams, personal projects, learning environments
  • Key Features:
    • Static code analysis for 15+ programming languages
    • Detection of bugs, code smells, and vulnerabilities
    • Basic Quality Gates and reports
    • Integrations with CI/CD tools (Jenkins, GitLab CI, etc.)
    • Basic web-based dashboards

2. Developer Edition

  • Cost: Paid (subscription)
  • Best for: Growing teams and organizations that need deeper insights
  • Additional Features:
    • Support for 20+ programming languages (including C, C++, Objective-C, Swift, and T-SQL)
    • Branch analysis (track quality on feature branches)
    • Pull Request decoration in GitHub, GitLab, Bitbucket, and Azure DevOps
    • Advanced issue detection (security hotspots, more code patterns)
    • Reports on technical debt and maintainability

3. Enterprise Edition

  • Cost: Paid (higher tier)
  • Best for: Large organizations with multiple teams/projects
  • Additional Features:
    • Portfolio Management: Aggregate code quality across projects
    • Governance dashboards for executive-level visibility
    • Project baseline management (manage technical debt over time)
    • Advanced reporting (trends, compliance)
    • Scales for large deployments

4. Data Center Edition

  • Cost: Premium (highest tier)
  • Best for: Enterprises requiring high availability and scalability
  • Additional Features:
    • All features of Enterprise Edition
    • Clustered deployment for high availability (HA)
    • Horizontal scalability with multiple nodes
    • Disaster recovery and business continuity
    • Ideal for mission-critical enterprise environments

Quick Comparison

FeatureCommunityDeveloperEnterpriseData Center
PriceFreePaidPaidPaid
Languages (Java, JS, etc.)βœ”βœ”βœ”βœ”
C, C++, Swift, T-SQLβœ˜βœ”βœ”βœ”
Branch Analysisβœ˜βœ”βœ”βœ”
Pull Request Decorationβœ˜βœ”βœ”βœ”
Portfolio Managementβœ˜βœ˜βœ”βœ”
High Availability (HA)βœ˜βœ˜βœ˜βœ”

πŸ‘‰ For most small teams, Community Edition is enough.
πŸ‘‰ Enterprises usually choose Enterprise or Data Center Edition for scalability, compliance, and governance.

SonarQube with the community branch plugin

Download the Plugin

  • Go to the Releases page
  • Download the latest .jar file, for example:
sonar-community-branch-plugin-1.16.0.jar

curl -L -o sonarqube-community-branch-plugin-25.7.0.jar \
https://github.com/mc1arke/sonarqube-community-branch-plugin/releases/download/25.7.0/sonarqube-community-branch-plugin-25.7.0.jar
  • Place it inside a local folder plugins/ (next to your docker-compose.yml).
  • So your project structure should look like:
.
β”œβ”€β”€ docker-compose.yml
└── plugins/
   └── sonar-community-branch-plugin-1.16.0.jar

Docker compose file

version: "3"

services:
  sonarqube:
    image: sonarqube:8.9-community
    container_name: sonarqube
    depends_on:
      - db
    environment:
      - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar
      - SONAR_JDBC_USERNAME=sonar
      - SONAR_JDBC_PASSWORD=sonar
      - SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true   # temporary workaround

    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - ./plugins:/opt/sonarqube/extensions/plugins
    ports:
      - "9000:9000"

  db:
    image: postgres:13
    container_name: sonarqube_postgres
    environment:
      - POSTGRES_USER=sonar
      - POSTGRES_PASSWORD=sonar
      - POSTGRES_DB=sonar
    volumes:
      - postgresql:/var/lib/postgresql
      - postgresql_data:/var/lib/postgresql/data

volumes:
  sonarqube_data:
  sonarqube_extensions:
  postgresql:
  postgresql_data:

docker-compose up -d

Verify

Go to Administration β†’ Marketplace β†’ Installed and you should see the Community Branch Plugin.

Follow this

OR

docker run -d -p 9000:9000 mc1arke/sonarqube-with-community-branch-plugin

Login to sonarqube with Admin user and password admin