Continuous Code Quality refers to incorporating code quality and code security analysis as part of your continuous integration process. Steps like this play a significant role in “shifting security left” in your software development process and creating a robust DevSecOps process. In this post, I will talk about the tool, SonarCloud and how to integrate it with the build pipeline in Azure DevOps.
SonarCloud is a cloud-based code quality and security service. It readily integrates with GitHub.com, Azure DevOps Services, Bitbucket.com and GitLab.com. SonarCloud being a cloud service you don’t have to worry about installation or maintenance. As a SaaS offering, SonarCloud gives you immediate access to new features and functionality. There are a lot of static code analysis tools in the market but not all does security scanning like SonarCloud does.
In this post I am going to show how we can integrate SonarCloud in the Azure DevOps build pipeline and perform code quality analysis as part of your CI process. We are going to do the following steps –
- Add SonarCloud as Extension for Azure DevOps
- Create Project Key in SonarCloud
- Generate SonarCloud Security Token
- Create a Service Connection in Azure DevOps
- Integrate SonarCloud to Build Pipeline and Run the Pipeline
- View Result in SonarCloud Dashboard
There are a few prerequisites that I have before I move ahead. Firstly, I have a .NET Core MVC web application (called SKBookClub from my previous posts) already integrated with Azure DevOps. Which means, my source code resides in Azure Repos and I already have a build pipeline created. I use Visual Studio 2019 and it is integrated to the Azure repository. Secondly, I have already created an account in SonarCloud. I selected the free pricing option. You can do the same by going to – https://sonarcloud.io/
Anything that we need to do after this point onwards are covered as part of this post.
Add SonarCloud as Extension for Azure DevOps
Step 1: The first thing that we need to do is add SonarCloud extension in Azure DevOps. To do this, Click on the Marketplace icon on the top right corner and select Browse Marketplace. In the search field type in SonarCloud. From the search result select SonarCloud. This will take you to the SonarCloud overview page.
Step 2: In the overview page click on Get it free. Well, at this point it depends whether you are the owner of the Azure DevOps organization or not.
If you are the Organization owner, then you should be able to add SonarCloud directly (like in the gif below)
If you are NOT the Organization owner, then you would be able to send a “Request” to the organization owner. And the organization owner would see the request under Organization Settings -> Extensions -> Requested and click on Approve to add the extension.
Create Project Key in SonarCloud
Step 3: For the next steps, lets move to SonarCloud webpage. As mentioned earlier, I already created an account in SonarCloud. Log in to your SonarCloud account and lets create a new project. Create a new project by clicking on the + sign on the top right corner and selecting Analyze new project.
A project in this context is a place to store and track the analysis details from the builds. We need a unique project key to identify which project bucket the Azure DevOps extension will be putting the data into.
Step 4: Enter a project key. I used SKBookClub as the project key. Note this down as we’ll need it to configure the SonarCloud build tasks in Azure DevOps. At the bottom, we need to choose whether the Azure DevOps project is public or private. Since I have a free account, I selected public. Click on Set Up.
Create SonarCloud Security Token
Step 5: The next step is to create a token in SonarCloud which we would use while creating a service connection in Azure DevOps. From your SonarCloud page, go to My Account by clicking on the profile icon on the top right corner, then, click on Security.
Here you can generate a token. Provide a token name to help identify later and click on Generate. Copy the token and store it somewhere if you do not intend to use it immediately. You wont be able to see the token later.
Create a Service Connection in Azure DevOps
Step 6: Now lets go back to Azure DevOps and create a service connection for SonarCloud. Go to your project and click on Project Settings in the bottom left corner. Check the Visibility field. Remember, my SonarCloud subscription is a free subscription which allows only public projects. Therefore, I need to change the visibility of this project to public.
Go ahead and change the Visibility value to Public and click Save
Step 7: To create the service connection, go to Service connections under Pipelines section of Project Settings. Click on Create service connection and select SonarCloud which should be there towards the end, click Next.
Provide the token created earlier and click on Verify. Provide a Service connection name and click on Verify and Save. This should create your service connection for SonarCloud
Integrate SonarCloud to Build Pipeline and Run the Pipeline
Step 8: Now the next steps are to edit the build pipeline in order to include the SonarCloud analysis tasks. We have to add 3 SonarCloud tasks in our build pipeline. Go to Pipelines, select the pipeline for your project and click on Edit. In the Tasks section, type ‘SonarCloud’. There should be 3 tasks that would show up. These tasks are available because we added SonarCloud from the marketplace.
The Prepare Analysis Configuration task goes before the build task
The Run Code Analysis task goes right after the build task
The Publish Quality Gate task goes after the run code analysis task
Step 9: Lets go and add these 3 tasks. Keep the cursor before the build task so that the Prepare Analysis Configuration task gets inserted before build task. SonarCloud Service Endpoint is where we select the service connection endpoint that we created earlier. Then select the SonarCloud organization (which is already created in SonarCloud) in the Organization field. There are options to integrate with a few different build providers. Since this project is .NET Core, I selected Integrate with MSBuild. Below that, we need to type in the project key. This is the unique identifier we created in SonarCloud (in step 3 and 4) that identifies where we’re putting the analysis data from the build. I added a project name, and under Advanced, we can add additional properties to pass to the scanner like folders we want to exclude from scanning. Right now am keeping it blank.
Click on Add
Step 10: Now we need to insert a task after the build completes that will do the actual scan and send the results to SonarCloud. Search for SonarCloud again in the tasks, and this time insert the task Run Code Analysis.
Now the last task we want to add is to publish the quality gates result. So this will pause the build and retrieve the results of the analysis from SonarCloud, and that value will then be available in the build summary. So search for SonarCloud again in the task list and choose Publish Quality Gate Result. Accept the default timeout value for pulling the SonarCloud web service and click Add.
Step 11: Now save these changes to the build pipeline YAML. Since I have continuous integration enabled on the branch, the build gets triggered. Now that the build is compete, you can check the logs but the logs do not show any results in particular. The results of the SonarCloud Analyze task has been pushed to SonarCloud.
View Result in SonarCloud Dashboard
Step 12: Lets head to the SonarCloud dashboard. Here on the overview page, we can see what was found in this particular build analysis. The results you see of course depends on your code but I will try and show what a typical report looks like taking my report as an example. Take a look at the various tabs
Take a closer look at the Issues tab. There are a variety of issues listed here, and there’s actually a category called Security Hotspot where we can see a list of all the potential security issues. You can see it’s pretty detailed, and these are just for review. They aren’t critical errors. Most of them involve the use of regular expressions. Going back to the issues overview, each of these issues has a category of Bug, Vulnerability, or Code Smell, and each category has a severity.
On the Measures tab, you can track the value of different metrics over time. From the Code tab, we can see the test coverage, bugs, and code smells broken down to the file and folder levels. And the project activity page lets you see the evolution of project measures over time. Now because our code passed the SonarCloud quality gate, you might not realize that even if it had failed, our build in Azure DevOps wouldn’t fail.
The above demo shows how an automatic workflow between Azure DevOps and SonarCloud can be used to focus on code quality at an early stage in the development cycle. Like I mentioned earlier, processes like these will go a long way in helping security shift left.