Back to Details

sonarqube

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SonarQube / SonarCloud

SonarQube / SonarCloud

When NOT to Use This Skill

何时不应使用本技能

  • JavaScript/TypeScript linting - Use 
    eslint-biome
    skill for faster feedback
  • Security scanning - Use 
    owasp-top-10
    or security-scanner MCP
  • Test execution - Use Vitest/Playwright skills for running tests
  • Code coverage generation - Use JaCoCo/Vitest skills for coverage
Deep Knowledge: Use 
mcp__documentation__fetch_docs
with technology: 
sonarqube
for comprehensive documentation.
  • JavaScript/TypeScript 代码检查 - 使用
    eslint-biome
    技能获取更快的反馈
  • 安全扫描 - 使用
    owasp-top-10
    或安全扫描MCP
  • 测试执行 - 使用Vitest/Playwright技能运行测试
  • 代码覆盖率生成 - 使用JaCoCo/Vitest技能生成覆盖率
深度知识: 调用
mcp__documentation__fetch_docs
并指定technology参数为
sonarqube
,可获取完整官方文档。

Official Documentation

官方文档

ResourceLink
SonarQube Docshttps://docs.sonarsource.com/sonarqube/latest/
SonarCloud Docshttps://docs.sonarsource.com/sonarcloud/
Rules Repositoryhttps://rules.sonarsource.com/
API Referencehttps://sonarcloud.io/web_api/
资源链接
SonarQube 文档https://docs.sonarsource.com/sonarqube/latest/
SonarCloud 文档https://docs.sonarsource.com/sonarcloud/
规则仓库https://rules.sonarsource.com/
API 参考https://sonarcloud.io/web_api/

Quick Setup

快速安装

SonarCloud (Recommended for Open Source)

SonarCloud(开源项目推荐使用)

bash
undefined
bash
undefined

1. Connect repo at sonarcloud.io

1. 在sonarcloud.io关联代码仓库

2. Create sonar-project.properties

2. 创建sonar-project.properties配置文件


```properties

```properties

sonar-project.properties

sonar-project.properties

sonar.projectKey=org_project sonar.organization=your-org sonar.sources=src sonar.tests=tests sonar.javascript.lcov.reportPaths=coverage/lcov.info sonar.coverage.exclusions=/*.test.ts,/*.spec.ts
undefined
sonar.projectKey=org_project sonar.organization=your-org sonar.sources=src sonar.tests=tests sonar.javascript.lcov.reportPaths=coverage/lcov.info sonar.coverage.exclusions=/*.test.ts,/*.spec.ts
undefined

SonarQube (Self-hosted)

SonarQube(自托管版本)

yaml
undefined
yaml
undefined

docker-compose.yml

docker-compose.yml

services: sonarqube: image: sonarqube:lts-community ports: - "9000:9000" environment: - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar volumes: - sonarqube_data:/opt/sonarqube/data

---
services: sonarqube: image: sonarqube:lts-community ports: - "9000:9000" environment: - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar volumes: - sonarqube_data:/opt/sonarqube/data

---

Quality Gates

质量门禁(Quality Gates)

Default Quality Gate Conditions

默认质量门禁规则

MetricConditionTarget
Coverageon new code≥ 80%
Duplicated Lineson new code≤ 3%
Maintainability Ratingon new codeA
Reliability Ratingon new codeA
Security Ratingon new codeA
Security Hotspots Reviewedon new code100%
指标生效范围要求阈值
覆盖率新增代码≥ 80%
重复行占比新增代码≤ 3%
可维护性评级新增代码A
可靠性评级新增代码A
安全评级新增代码A
已审查安全热点新增代码100%

Custom Quality Gate

自定义质量门禁

bash
undefined
bash
undefined

Create via API

通过API创建

curl -X POST "https://sonarcloud.io/api/qualitygates/create"
-H "Authorization: Bearer $SONAR_TOKEN"
-d "name=Strict"

---
curl -X POST "https://sonarcloud.io/api/qualitygates/create"
-H "Authorization: Bearer $SONAR_TOKEN"
-d "name=Strict"

---

CI/CD Integration

CI/CD 集成

GitHub Actions

GitHub Actions

yaml
undefined
yaml
undefined

.github/workflows/sonar.yml

.github/workflows/sonar.yml

name: SonarCloud on: [push, pull_request]
jobs: sonarcloud: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0
  - name: SonarCloud Scan
    uses: SonarSource/sonarcloud-github-action@master
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
undefined
name: SonarCloud on: [push, pull_request]
jobs: sonarcloud: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0
  - name: SonarCloud 扫描
    uses: SonarSource/sonarcloud-github-action@master
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
undefined

Maven (Java)

Maven (Java)

xml
<!-- pom.xml -->
<plugin>
    <groupId>org.sonarsource.scanner.maven</groupId>
    <artifactId>sonar-maven-plugin</artifactId>
    <version>3.10.0.2594</version>
</plugin>
bash
mvn sonar:sonar \
  -Dsonar.projectKey=project \
  -Dsonar.host.url=https://sonarcloud.io \
  -Dsonar.token=$SONAR_TOKEN
xml
<!-- pom.xml -->
<plugin>
    <groupId>org.sonarsource.scanner.maven</groupId>
    <artifactId>sonar-maven-plugin</artifactId>
    <version>3.10.0.2594</version>
</plugin>
bash
mvn sonar:sonar \
  -Dsonar.projectKey=project \
  -Dsonar.host.url=https://sonarcloud.io \
  -Dsonar.token=$SONAR_TOKEN

Key Metrics

核心指标

MetricDescriptionGood Value
BugsReliability issues0
VulnerabilitiesSecurity issues0
Code SmellsMaintainability issuesMinimize
CoverageTest coverage %> 80%
DuplicationsDuplicated code %< 3%
Cognitive ComplexityCode understandability< 15/function
指标说明理想值
Bug可靠性问题0
漏洞(Vulnerabilities)安全问题0
代码异味(Code Smells)可维护性问题尽量少
覆盖率测试覆盖率百分比> 80%
重复率重复代码占比< 3%
认知复杂度代码可理解性单函数<15

Language-Specific Rules

各语言专属规则

LanguageRulesLink
JavaScript/TS422https://rules.sonarsource.com/javascript/
Java733https://rules.sonarsource.com/java/
Python300+https://rules.sonarsource.com/python/
C#400+https://rules.sonarsource.com/csharp/
Go100+https://rules.sonarsource.com/go/
语言规则数量链接
JavaScript/TS422https://rules.sonarsource.com/javascript/
Java733https://rules.sonarsource.com/java/
Python300+https://rules.sonarsource.com/python/
C#400+https://rules.sonarsource.com/csharp/
Go100+https://rules.sonarsource.com/go/

Excluding Files

文件排除配置

properties
undefined
properties
undefined

sonar-project.properties

sonar-project.properties

sonar.exclusions=/node_modules/,/dist/,/*.test.ts sonar.coverage.exclusions=/tests/,/mocks/** sonar.cpd.exclusions=/generated/

---
sonar.exclusions=/node_modules/,/dist/,/*.test.ts sonar.coverage.exclusions=/tests/,/mocks/** sonar.cpd.exclusions=/generated/

---

API Examples

API 示例

bash
undefined
bash
undefined

Get project status

获取项目状态

curl "https://sonarcloud.io/api/qualitygates/project_status?projectKey=KEY"
-H "Authorization: Bearer $SONAR_TOKEN"
curl "https://sonarcloud.io/api/qualitygates/project_status?projectKey=KEY"
-H "Authorization: Bearer $SONAR_TOKEN"

Get issues

获取问题列表

curl "https://sonarcloud.io/api/issues/search?componentKeys=KEY&types=BUG"
-H "Authorization: Bearer $SONAR_TOKEN"
curl "https://sonarcloud.io/api/issues/search?componentKeys=KEY&types=BUG"
-H "Authorization: Bearer $SONAR_TOKEN"

Get metrics

获取指标数据

curl "https://sonarcloud.io/api/measures/component?component=KEY&metricKeys=coverage,bugs,vulnerabilities"
-H "Authorization: Bearer $SONAR_TOKEN"

---
curl "https://sonarcloud.io/api/measures/component?component=KEY&metricKeys=coverage,bugs,vulnerabilities"
-H "Authorization: Bearer $SONAR_TOKEN"

---

Anti-Patterns

反模式

Anti-PatternWhy It's BadCorrect Approach
No quality gate on PRsMerging bad codeEnable PR decoration, block on failure
Excluding all tests from coverageInflated coverage numbersOnly exclude test utilities
Ignoring code smellsTechnical debt accumulatesFix or justify with comments
No coverage reportingCan't track quality trendsConfigure coverage reports in CI
Using default quality gateToo lenient for most projectsCreate custom stricter gate
Not reviewing Security HotspotsPotential vulnerabilities missedReview all hotspots before release
反模式弊端正确做法
PR没有配置质量门禁检查会合入低质量代码开启PR装饰,质量门禁不通过则阻断合并
将所有测试文件排除在覆盖率统计外会导致覆盖率数据虚高仅排除测试工具类代码
忽略代码异味技术债务不断累积修复问题或添加注释说明合理原因
没有上报覆盖率数据无法追踪质量变化趋势在CI中配置覆盖率报告上报
使用默认质量门禁对大多数项目来说规则过松创建更严格的自定义质量门禁
不审查安全热点会遗漏潜在安全漏洞发布前审查所有安全热点

Quick Troubleshooting

快速排障

IssueLikely CauseSolution
Quality gate failed unexpectedlyNew code coverage < 80%Add tests or adjust coverage target
Analysis not runningMissing SONAR_TOKENAdd token to CI secrets
Coverage always 0%Wrong report pathCheck 
sonar.javascript.lcov.reportPaths
Duplicated code false positivesBoilerplate codeAdd to 
sonar.cpd.exclusions
Too many issues reportedFirst scan on legacy codeUse "New Code" focus, fix incrementally
PR decoration not workingMissing GitHub App integrationConfigure SonarCloud GitHub App
问题可能原因解决方案
质量门禁意外不通过新增代码覆盖率<80%补充测试或调整覆盖率阈值
分析任务未运行缺少SONAR_TOKEN将token添加到CI的密钥配置中
覆盖率始终为0%报告路径配置错误检查
sonar.javascript.lcov.reportPaths
配置
重复代码误报样板代码被识别为重复添加到
sonar.cpd.exclusions
排除列表
上报问题数量过多首次扫描老旧代码聚焦「新增代码」维度,逐步修复存量问题
PR装饰不生效缺少GitHub App集成配置SonarCloud GitHub App

Related Skills

相关技能

  • Quality Principles
  • GitHub Actions
  • JaCoCo
  • 质量原则
  • GitHub Actions
  • JaCoCo