Scan a Git Repo in an Azure Pipeline with SonarCloud

In this article, you will learn how to scan a Git repo in an Azure Pipeline with SonarCloud.

Prerequisites

The following prerequisites will be required to complete this tutorial:

• Azure DevOps account. If you don't have an Azure DevOps account, create one for free before you begin.
• Azure DevOps project, with a dotnet core project in a Git repository. If you don't have a repo fork the articles Git repo.
• SonarCloud account. If you don't have a SonarCloud account, create one for free with your Azure DevOps account before you begin.

Create a SonarCloud Organization and Link it to Azure DevOps

Create a Personal Access Token

1. In Azure DevOps, select User Settings, Personal access tokens in the top right of the screen.

   

2. Select + New Token.

   

3. Enter the following values.

   Parameter	Value
   Name	SonarCloud
   Organization	Your Organization
   Scopes	Custom defined
   Code	Read & Write

   

Link SonarCloud to Azure DevOps with Personal Access Token

1. Login to SonarCloud.

2. Select Import project from Azure, and then enter the following values, and then select Continue.

   Parameter	Value
   Azure DevOps organization name	Your Organization name
   Personal Access Token (PAT)	PAT created earlier

   

3. Under Import Organization details, enter a Name and Key which will be used to identify your organization in Azure Pipelines, and then select Continue.

   

4. Select Free plan and then Create Organization.

   

Analyze an Azure DevOps project in SonarCloud

1. In the root of a SonarCloud Organization, select Projects, and then Analyze a new project.

   

2. Select the Project, and then Set Up.

   

3. Select the analysis method With Azure DevOps Pipelines.

   

You will now be presented with instructions to setup the analysis which will be outlined in the following sections. Keep the instructions open as you will need information from them.

Add SonarCloud Extension to Azure DevOps

1. In the root of an Azure DevOps Organization, select Organization Settings in the bottom left of the screen.

   

2. In the General section, select Extensions.

   

3. Select Browse marketplace.

   

4. Search for SonarCloud, and then select SonarCloud.

   

5. Select Get if free, and then select Install.

   

6. In the Extensions section, SonarCloud is now installed.

   

Add SonarCloud Service Connection to an Azure DevOps Project

1. From the root of an Azure DevOps Project, select Project settings in the bottom left of the screen.

   

2. In the Pipelines section, select Service connections.

   

3. Select Create service connection.

   

4. Search for SonarCloud, then select Next.

   

5. Enter the following values, and then select Verify and Save.

   Parameter	Value
   SonarCloud Token	Your SonarCloud Token see below for instructions
   Service connection name	SonarCloud
   Grant access permission to all pipelines	True

   

   Copy and paste the SonarCloud Token from the instructions Use this token under the Add a new SonarCloud Service Endpoint section into Azure DevOps Service Connection Setup SonarCloud Token text box.

Configure Azure DevOps Pipeline with SonarCloud Code Analysis

1. In the root of an Azure DevOps Project, select Pipelines.

   

2. Select Create Pipeline.

   

3. In the Connect tab, Select Azure Repos Git.

   

4. In the Select tab, select ASP.NET Core YAML template.

   

5. Go to the SonarCloud instructions, select .NET build, under the Configure Azure Pipeline section.

   

6. Replace the Contents of the YAML file with the following YAML replacing {Your...} with your organization, project key and project name from the SonarCloud instructions.

   trigger:
   - master
   
   pool:
   vmImage: ubuntu-latest
   
   variables:
   twogsdevProjectVersion: '1.0.0-$(Build.BuildNumber)'
   
   steps:
   - task: SonarCloudPrepare@1
       inputs:
       SonarCloud: 'SonarCloud'
       organization: 'twogsdev'
       scannerMode: 'MSBuild'
       projectKey: 'twogsdev_CoreDeployTest'
       projectName: 'CoreDeployTest'
       projectVersion: '$(twogsdevProjectVersion)'
   - task: DotNetCoreCLI@2
       inputs:
       command: 'build'
   - task: SonarCloudAnalyze@1
   - task: SonarCloudPublish@1
       inputs:
       pollingTimeoutSec: '300'
   

7. Rename the pipelines YAML file to sonarcloud-az-pipeline.yml and then select Save and run.

   

8. Add a commit message and then select Save and run.

   

9. Once the build has completed, in the Build Summary, select Extensions, and then Detailed SonarCloud Report.

   

In order to see the Quality Gate result in Azure DevOps Pipelines. A Code Definition needs configuring in SonarCloud. Follow the next steps to set this up.

Setup Quality Gate in SonarCloud

1. In the SonarCloud Project Overview, select Set New Code definition.

   

2. Select Previous Version, this corresponds to the projectVersion added to the pipeline YAML earlier.

   

3. Once configured, in Azure DevOps Pipelines, select Run new. Once the Azure Pipeline has finished building and analyzing, select Detailed SonarCloud Report.

   

4. In SonarCloud select See Full Analysis.

   

5. The Detailed Report will be opened.

   

Analyze SonarCloud Report

1. In the SonarCloud Dashboard, select the Your Project > See Full Analysis, then Overall Code.

   

2. Under Reliability, you will see a bug has been found. Select the Number next to Bugs.

   

3. The details of the Bug will be opened.

   

4. Select the Bug to see the code.