Code quality and analysis with SonarQube — Part II

3 min readJun 16, 2022


This is the second part of “Code Quality and analysis with SonarQube”, you can checkout the first part from here, this part mainly will be about integrating SonarQube with Gitlab CI-CD pipelines.

As seen in the first part, SonarQube is one of the greatest tool to measure and analyse your code quality besides top 10 OWASP vulnerabilities scan and complexity check, it would be more useful if it’s integrated to our git ci-cd pipeline instead of running it locally each time (we programmers are lazy 😁), so let’s break the ice.

1- Setup your SonarQube Server :

The first required step is to have a SonarQube deployed somewhere, here we’ll use an AWS Bitnami instance, you can set it from here (give me a sign for any troubleshooting), or use SonarQubeCloud from here (they’ve a free plan), once your SonarQube server is ready, go to your gitlab project, and create environment variables as in the picture as follows :

Go to settings -> CI/CD -> Variables , then click on “Add variable” to add SonarQube server’s URL and Login token

N.B : be sure that “Protect variable” ain’t checked, so your variable can be read and accessed by the pipeline.

2. Create your pipeline :

Once your SonarQube server is well set and the host url and login token are added as environment variables, it’s time now to create your pipeline, so, just go from the menu on the left to CI/CD -> Editor , and add the code below to set your pipeline :

And to finish, submit your changes with a new commit message :

This will start your pipeline checks, and once all checks pass correctly, the pipeline check icon will pass to green, and you can then check the sonarqube scan on your server

Sonarqube analysis on the server :

That’s all for now 😉, SonarQube has many use cases and many useful metrics to boost your code quality, maintainability and security, it has many alternatives but with one metric focus i.e : like Jenkins for testing and Archerysec for security scans.