Elevating Code Quality: The Power of Static Code Analysis in Modern Software Development
In today’s ever-changing software development landscape, code quality is a must-have requirement. At AVIV Group, we are committed to delivering exceptional applications to our customers by ensuring a shared responsibility for quality. To achieve agility, speed, and reliability: static code analysis is essential.
Integrating code analysis tools into your Continuous Integration and Continuous Delivery/Deployment (CI/CD) pipeline is an effective way to catch code issues early and ensure the health of your codebase.
In this blog, we will explore together how to seamlessly integrate SonarCloud, a popular cloud-based code analysis platform, with one of the leading CI/CD tools, CircleCI.
Sound interesting? Let’s get started!
What is Static Code Analysis?
Static code analysis is a technique that involves examining the source code of a software application without executing it. It aims to identify issues, potential problems, code smells, and violations of coding standards by analyzing the code’s structure, syntax, and dependencies.
Importance of Static Code Analysis
One of the most crucial aspects of static code analysis is the ability to catch issues early in development. This early detection reduces the cost and effort required for fixing issues later in the development cycle, which can be more challenging to address.
Static code analysis consistently enforces coding standards and best practices across the entire codebase. It checks for issues like code complexity, naming conventions, code duplication, and adherence to coding guidelines.
By maintaining a high level of code quality, development teams can produce more readable, maintainable, and reliable software.
By automating code analysis, development teams can focus on writing code and delivering features rather than manually reviewing every line of code. This automation streamlines the development process, increases productivity, and allows developers to spend more time on creative problem-solving.
After learning about static code analysis, let’s explore SonarCloud, the static analysis tool, and how it fits into the development lifecycle.
How SonarCloud fits into agile development
SonarCloud’s static code analysis capabilities enable Agile teams to detect code issues, bugs and smells early in development. This early detection helps teams address problems before they accumulate; reducing technical debt.
SonarCloud allows teams to set custom quality gates based on their specific project requirements. This flexibility ensures that code meets predefined quality criteria before it can be considered “done”.
SonarCloud supports a wide range of programming languages, including but not limited to Java, JavaScript, TypeScript, Python, and C#. SonarCloud also supports IaC, such as Terraform code, making it suitable for diverse software development environments.
SonarCloud seamlessly integrates with CI/CD pipelines, automatically analysing code changes as they are committed. This automation ensures that code quality checks are integral to every build, preventing the introduction of low-quality code.
As a cloud-based service, SonarCloud does not require teams to set up and maintain on-premises infrastructure for code analysis. This simplifies adoption and scalability.
Integrate SonarCloud with the CI/CD Pipeline
Let’s look at how to integrate SonarCloud with CircleCI, step-by-step seamlessly.
Prerequisites
Before we proceed, make sure you have the following prerequisites in place:
- A GitHub repository with your codebase.
- An account on SonarCloud (https://sonarcloud.io).
- A CircleCI account (https://circleci.com).
Step 1. Log in to your SonarCloud account. Create a new project and follow the setup instructions to obtain a unique project key and token as shown in the following image.
Configure the project with the code changes settings e.g. the previous version of the codebase, as shown in the following image.
To ensure the effective use of SonarCloud, 5 essential things should be configured:
- Organization: each SonarCloud organization represents a corresponding organization on the repository platform side.
- Projects: each imported repository becomes a SonarCloud project.
- Rules: rules are executed on source code to generate issues. There are four types of rules: Code smell, Bug, Vulnerability, and Security hotspot.
4. Quality Profiles: SonarCloud provides a default quality profile called the Sonar Way profile for each language, activating rules that should apply to most projects. This profile is marked with the “built-in” tag in the interface. If no other profile is explicitly defined at the project level, the default profile for the language will be used.
New profiles can be created in two ways:
- Copying an existing profile and adjusting the copy.
- Extending an existing profile.
5. Quality Gates: These are defined at the organization level and applied at the project level. Each project has one quality gate assigned from among those defined in the organization.
After configuring the project, you will be redirected to the project page, including the analysis results, as shown in the following image.
After running the first scan, you can find the Quality Gate status, but it will display the results after the following scan, as shown in the following image.
You can see the result if you create a new PR (Pull Request), as shown in the following image.
Then, the status will be updated with details such as Reliability, Maintainability, and other statistics, as shown in the following image.
You can also find the recent analysis activity on the project, as shown in the following image.
The SonarCloud bot will also be enabled in the PR view to get the results on every code change, as shown in the following image.
You can also click on the details to redirect to the page, as shown in the following image.
There is another way to enable SonarCloud with your GitHub project by enabling SonarCloud GitHub App, as shown in the following image.
Select your GitHub organization or account, as shown in the following image.
Select the repositories you want to scan, as shown in the following image.
Save the changes to enable SonarCloud on the project.
Now, let’s configure CircleCI to run SonarCloud as a part of the CI/CD pipeline.
Disabling automatic analysis on the project is recommended because it will be run via the CircleCI from the Project Administration; select Analysis Method, as shown in the following image.
And disable the Automatic Analysis, as shown in the following image.
Set up CircleCI environment variables for your SonarCloud token and any other sensitive information you may have; you can find the steps in your SonarCloud project, as shown in the following image.
Create a CircleCI context, and name it SonarCloud, as shown in the following image.
Add an Environment Variable, and name it SONAR_TOKEN as shown in the following image.
Create a configuration file in the project's root directory and name it sonar-project.properties, which will include the sonar.projectKey and sonar.organization, as shown in the following image.
In your project’s .circleci/config.yml file, you’ll need to add the necessary steps to integrate SonarCloud.
Here’s an example configuration:
version: 2.1
jobs:
build:
docker:
- image: circleci/node:14
steps:
- checkout
- run:
name: Install dependencies and build project
command: npm install
- sonarcloud/scan
orbs:
sonarcloud: sonarsource/sonarcloud@1.0.3
workflows:
main:
jobs:
- build:
context: SonarCloudCommit and push the updated .circleci/config.yml file to your GitHub repository, triggering your CircleCI pipeline automatically, as shown in the following image.
After completing the CI/CD pipeline, visit your SonarCloud project dashboard to view code analysis results, including code quality metrics, security vulnerabilities, and code smells, as shown in the following image.
Congratulations, you configured your first project to run static analysis with the CircleCI CI/CD pipeline.
Extra point: Using SonarLint for real-time code analysis within the IDEs
SonarLint is a lightweight code analysis tool that provides real-time code analysis directly within integrated development environments (IDEs).
SonarLint is integrated into popular IDEs such as Visual Studio Code, Visual Studio, IntelliJ IDEA, and more. Developers can install and configure the SonarLint plugin specific to their IDE.
Once installed, SonarLint performs real-time code analysis as developers write or modify code. It highlights code issues, bugs, code smells, and security vulnerabilities directly within the IDE, offering instant feedback, as shown in the following image.
Conclusion
Static code analysis plays a vital role in achieving these objectives. By automating the analysis of code for issues, enforcing coding standards, and detecting security vulnerabilities, static code analysis tools enable development teams to produce higher-quality, more secure, and maintainable software.
Integrating SonarCloud with your CircleCI CI/CD pipeline is a powerful way to automate code analysis and ensure consistent code quality and security in your software projects.
Resources
Thank you for reading!
If you’re interested in joining our Aviv family, you can always find exciting opportunities here: https://careers.smartrecruiters.com/avivgroup
Good luck and happy testing!
