Integrating SonarQube with Azure Repos to Assess Code Vulnerability for .NET Applications and Send Reports to JFrog Artifactory

Integrating SonarQube with Azure Repos allows you to continuously assess the code quality and security of your .NET applications. This guide will walk you through the steps to set up this integration and send the generated reports to an Artifactory repository.

Prerequisites

Before you begin, ensure you have the following:

  • An Azure DevOps account
  • A SonarQube server (either locally hosted or on the cloud)
  • An Artifactory account
  • A .NET application in an Azure Repos repository
  • Azure CLI installed
  • Docker installed (if using Docker for SonarQube)

Step 1: Set Up SonarQube
  • Install SonarQube:
    • You can install SonarQube locally using Docker:
docker run -d --name sonarqube -p 9000:9000 sonarqube
    • Alternatively, you can set up SonarQube on a cloud service.
  • Configure SonarQube:
    • Access SonarQube at http://localhost:9000 (or your server’s IP).
    • Log in with the default credentials (admin/admin) and change the password.
    • Create a new project and generate a project key.
Step 2: Integrate SonarQube with Azure DevOps
  • Generate a Personal Access Token (PAT):
    • In Azure DevOps, go to your profile and select “Security”.
    • Create a new token with the necessary scopes (Code, Build).
  • Configure SonarQube for Azure DevOps:
    • In SonarQube, navigate to Administration > Configuration > General Settings > DevOps Platform Integrations.
    • Select the Azure DevOps tab and add your Azure DevOps organization URL and PAT.
  • Install SonarQube Extension in Azure DevOps:
    • Go to the Azure DevOps marketplace and install the SonarQube extension.
Step 3: Set Up Azure Pipelines
  • Create a New Pipeline:
    • In your Azure DevOps project, navigate to Pipelines and create a new pipeline.
    • Select your repository and configure the pipeline using the YAML file.
  • Configure the Pipeline YAML:
    • Add the following stages to your azure-pipelines.yml:
trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

variables:
  buildConfiguration: 'Release'
  sonarQubeProjectKey: '<your-sonarqube-project-key>'
  sonarQubeServerUrl: 'http://<your-sonarqube-server-url>'
  sonarQubeToken: '<your-sonarqube-token>'

steps:
- task: UseDotNet@2
  inputs:
    packageType: 'sdk'
    version: '5.x'

- task: DotNetCoreCLI@2
  inputs:
    command: 'restore'
    projects: '**/*.csproj'

- task: DotNetCoreCLI@2
  inputs:
    command: 'build'
    projects: '**/*.csproj'
    arguments: '--configuration $(buildConfiguration)'

- task: SonarQubePrepare@4
  inputs:
    SonarQube: 'SonarQube'
    scannerMode: 'CLI'
    configMode: 'manual'
    cliProjectKey: '$(sonarQubeProjectKey)'
    cliProjectName: '<your-project-name>'
    cliSources: '.'

- task: DotNetCoreCLI@2
  inputs:
    command: 'test'
    projects: '**/*.csproj'
    arguments: '--configuration $(buildConfiguration)'

- task: SonarQubeAnalyze@4

- task: SonarQubePublish@4
  inputs:
    pollingTimeoutSec: '300'
Step 4: Send Reports to Artifactory
  • Install JFrog CLI:
    • Install JFrog CLI on your build agent:
curl -fL https://getcli.jfrog.io | sh
  • Configure Artifactory in the Pipeline:
    • Add steps to upload the SonarQube report to Artifactory:
- script: |
    jfrog rt config --url=https://<your-artifactory-url> --user=<your-username> --password=<your-password>
    jfrog rt u sonar-report.zip <your-repo-path>/sonar-report.zip
  displayName: 'Upload SonarQube Report to Artifactory'
  • Generate and Upload the Report:
    • Ensure the SonarQube report is generated and zipped before uploading:
- script: |
    zip -r sonar-report.zip .scannerwork
  displayName: 'Zip SonarQube Report'
By following these steps, you can integrate SonarQube with Azure Repos to continuously assess the code quality and security of your .NET applications and send the generated reports to Artifactory. This setup ensures that your code remains secure and maintainable, while also providing a centralized location for storing and accessing your reports.

Checkout: 

Comments

Post a Comment

Comments are always welcome, that will help us to motivate ourselves and improve our services. Thanks!!

Popular posts from this blog

How to update build number in Azure DevOps pipeline?

Azure DevOps Pipelines are an essential part of any software development process . They allow you to build, test, and deploy your application automatically, providing you with a continuous integration and deployment (CI/CD) solution that ensures your code is always up-to-date and ready to be shipped. One crucial element of any build process is the build number. This number uniquely identifies each build, making it easy to track changes and ensure that you're always using the latest version of your software. In this blog post, we'll take a look at the command to update the build number on an Azure DevOps Pipeline. What is the Build Number? The build number is a unique identifier for each build that's created in your pipeline. It's typically a combination of the pipeline name and a unique number that increments with each build. The build number is essential for tracking changes and ensuring that you're always using the latest version of your software. Why Update the B...
Read more

How to get latest build ID from Azure DevOps pipeline?

Azure Pipelines is a cloud-based service that allows you to continuously build, test, and deploy your applications . It provides a wide range of features to support continuous integration and continuous delivery (CI/CD) workflows. One of the essential features of Azure Pipelines is the ability to retrieve the latest build ID programmatically. In this blog post, we will explore how to get the latest build ID from an Azure Pipeline. Firstly, let's understand what a build ID is. A build ID is a unique identifier assigned to each build in Azure Pipelines . It is used to track the status and progress of a particular build. The build ID is generated automatically and is incremented for each new build. It is essential to know the latest build ID to retrieve the artifacts produced by the build or to trigger the next build in the pipeline. Now let's dive into the steps to get the latest build ID from an Azure Pipeline programmatically: Step 1: Create a Personal Access Token (PAT) To ret...
Read more

How to install AWS System Manager (SSM) Agent on windows using PowerShell?

Image
Welcome to itscloudhub!! In the previous post, we were looked how to install AWS SSM Agent on Linux Distribution. In this blog post, we will discuss how to install AWS SSM Agent on Windows machine. https://www.itscloudhub.com/2022/03/how-to-install-aws-system-manager-ssm.html AWS Systems Manager Agent (SSM Agent) is preinstalled, by default, on the following Amazon Machine Images (AMIs): 1. Windows Server 2008-2012 R2 AMIs published in November 2016 or later 2. Windows Server 2016, 2019, and 2022 If your managed instance is a Windows Server 2008-2012 R2 instance created before November 2016, then EC2Config processes Systems Manager requests on your instance. We recommend that you upgrade your existing instances to use the latest version of EC2Config . By using the latest EC2Config installer, you install SSM Agent side-by-side with EC2Config. This side-by-side version of SSM Agent is compatible with your instances created from earlier Windows Server AMIs and allows you to use SSM fe...
Read more