SonarCloud is the leading product for Continuous Code Quality online. It is a static source code analysis solution that enables continuous tracking of bugs, code smells and vulnerabilities for 17 different languages such as C#, VB .Net, Java, C, C++, JavaScript, ...
SonarCloud is totally free for open-source projects, and has a paid plan for private ones. Simply sign up with your Bitbucket Cloud account, create an organization for your team, and then configure your CI to run the scanners and get your projects analyzed in a couple of minutes.
Here is what you need to successfully analyze your projects on SonarCloud:
+ icon available
at the top right part of the screen.
SonarCloud integrates with BitBucket Pipelines to make it easier to trigger analyses. Follow the steps:
+
icon available at the top right part of the screen. You can copy-paste the command line
displayed at the end.
SONAR_TOKEN variable that contains the value of the SonarCloud token
(something like 9ad01c85336b265406fa6554a9a681a4b281135f) which
you created during the tutorial (and which is available inside the command line that you
copy-pasted). Make sure that you click on the "Lock" icon to encrypt and hide this token.
bitbucket-pipelines.yml file of your repository, copy the command line
provided by the tutorial and replace the actual token by its variable name. For example, for a
Java Maven-based project, you should have something like:
... script: - mvn sonar:sonar -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=my-team-org -Dsonar.login=$SONAR_TOKEN ...When this change on
bitbucket-pipelines.yml is committed and pushed, Pipelines should
automatically run a new build and therefore trigger the analysis of the repository. Shortly after,
your project will appear on SonarCloud in your organization.
From now on, everytime Pipelines triggers a build, SonarCloud will:
bitbucket-pipelines.yml file.
Once your project is successfully configured and analyzed by SonarCloud, you will automatically
get feedback at pull request level (status based on the quality gate, and summary of the analysis).
You will also see the overall quality of the repository on its overview page, giving your team an always
up-to-date visibility on the quality of the project.
If you want to hide this widget (e.g. because your repository is not analyzed on SonarCloud), you can go to the "Settings > SonarCloud" page of your repository and check the "Hide repository overview widget".
For the time being, you can take a look at this very simple JS project: Sample project analysed on SonarCloud
If you want to analyze a non-Java project (JS, TS, PHP, Python, Go, ...), you will need to download and install the Scanner CLI during the execution of your build prior to the actual code scan. You have two options:
curl for instance) from the links available
on the documentation page and unpack it (preferably in a cached folder for later reuse).Make sure that your browser is not using some extensions like AdBlocks. They tend to break the integration of third-party applications in BitBucket Cloud.