Sonarcloud Help

Close

SonarCloud is the leading product for Continuous Code Quality online. It is a static source code analysis solution that enables continuous tracking of bugs, code smells and vulnerabilities for 17 different languages such as C#, VB .Net, Java, C, C++, JavaScript, ...

SonarCloud is totally free for open-source projects, and has a paid plan for private ones. Simply sign up with your Bitbucket Cloud account, create an organization for your team, and then configure your CI to run the scanners and get your projects analyzed in a couple of minutes.

Requirements

Here is what you need to successfully analyze your projects on SonarCloud:

  • A user account: simply log in or sign up on the service with your Bitbucket Cloud account
  • A SonarCloud organization to host your projects: this is optional, but recommended to have a dedicated organization for your team. You can create one from the + icon available at the top right part of the screen.

Analyze my repository using Pipelines

SonarCloud integrates with BitBucket Pipelines to make it easier to trigger analyses. Follow the steps:

  1. On SonarCloud, open and follow the "New Project" tutorial available from the + icon available at the top right part of the screen. You can copy-paste the command line displayed at the end.
     
  2. On BitBucket, go to the "Settings > Pipelines > Environment variables" page of your team, and add a new SONAR_TOKEN variable that contains the value of the SonarCloud token (something like 9ad01c85336b265406fa6554a9a681a4b281135f) which you created during the tutorial (and which is available inside the command line that you copy-pasted). Make sure that you click on the "Lock" icon to encrypt and hide this token.
     
  3. Inside the bitbucket-pipelines.yml file of your repository, copy the command line provided by the tutorial and replace the actual token by its variable name. For example, for a Java Maven-based project, you should have something like:
    ...
    script:
      - mvn sonar:sonar -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=my-team-org -Dsonar.login=$SONAR_TOKEN
    ...
    
    When this change on bitbucket-pipelines.yml is committed and pushed, Pipelines should automatically run a new build and therefore trigger the analysis of the repository. Shortly after, your project will appear on SonarCloud in your organization.
     
  4. Once you see your project in SonarCloud, go to the BitBucket Cloud "Settings > SonarCloud" page of your repository and find it in the select box to link it.

From now on, everytime Pipelines triggers a build, SonarCloud will:

  • Analyze every new branch that contains the change on the bitbucket-pipelines.yml file.
  • Analyze and decorate every pull request based on such a branch.

Displaying the quality of a repository inside Bitbucket Cloud

Once your project is successfully configured and analyzed by SonarCloud, you will automatically get feedback at pull request level (status based on the quality gate, and summary of the analysis).
You will also see the overall quality of the repository on its overview page, giving your team an always up-to-date visibility on the quality of the project.

If you want to hide this widget (e.g. because your repository is not analyzed on SonarCloud), you can go to the "Settings > SonarCloud" page of your repository and check the "Hide repository overview widget".

FAQ

Do you have a sample project on Bitbucket Cloud?

For the time being, you can take a look at this very simple JS project: Sample project analysed on SonarCloud

Pipelines can't find sonar-scanner

If you want to analyze a non-Java project (JS, TS, PHP, Python, Go, ...), you will need to download and install the Scanner CLI during the execution of your build prior to the actual code scan. You have two options:

  • You can download it (with curl for instance) from the links available on the documentation page and unpack it (preferably in a cached folder for later reuse).
  • On Node environments, you can rely on a community NPM module to install it globally and therefore make it available in the PATH.

I don't see the any quality information whereas I configured everything

Make sure that your browser is not using some extensions like AdBlocks. They tend to break the integration of third-party applications in BitBucket Cloud.

Upcoming features and improvements

There are various areas in which you can expect new features and improvements:
  • Tighter integration with Pipelines (less parameters to pass on the CLI, availability of the scanner, ...)
  • Pull request decoration with inline comments to show the issues within the PR
  • Better and easier team onboarding
  • Automatic analysis (i.e. no need to configure anything from Pipelines)