Azure DevOps integration (2024)

SonarQube's integration with Azure DevOps allows you to maintain code quality and security in your Azure DevOps repositories. It is compatible with both Azure DevOps Server and Azure DevOps Services.

With this integration, you'll be able to:

  • Import your Azure DevOps repositories: Import your Azure DevOps repositories into SonarQube to easily set up SonarQube projects.
  • Analyze projects with Azure Pipelines: Integrate analysis into your build pipeline. Starting inDeveloper Edition, SonarScanners running in Azure Pipelines jobs can automatically detect branches or pull requests being built, so you don't need to specifically pass them as parameters to the scanner.
  • Report your quality gate status to your pull requests (starting inDeveloper Edition): See your quality gate and code metric results right in Azure DevOps so you know if it's safe to merge your changes.

Prerequisites

Integration with Azure DevOps Server requires Azure DevOps Server 2020, Azure DevOps Server 2019, TFS 2018, or TFS 2017 Update 2 (includingExpresseditions).

Branch analysis

Community Edition doesn't support the analysis of multiple branches, so you can only analyze your main branch. Starting inDeveloper Edition, you can analyze multiple branches and pull requests.

Importing your Azure DevOps repositories into SonarQube

Setting up the import of Azure DevOps repositories into SonarQube allows you to easily create SonarQube projects from your Azure DevOps repositories. If you're usingDeveloper Editionor above, this is also the first step in adding pull request decoration.

To set up the import of Azure DevOps repositories:

  1. Set your global DevOps platform settings
  2. Add a personal access token for importing repositories

Setting your global settings

To import your Azure DevOps repositories into SonarQube, you need to first set your global SonarQube settings. Navigate toAdministration > Configuration > General Settings > DevOps Platform Integrations, select theAzure DevOpstab, and click theCreate configurationbutton. Specify the following settings:

  • Configuration Name(Enterprise and Data Center Edition only): The name used to identify your Azure DevOps configuration at the project level. Use something succinct and easily recognizable.
  • Azure DevOps collection/organization URL: If you are using Azure DevOps Server, provide your full Azure DevOps collection URL. For example,https://ado.your-company.com/DefaultCollection. If you are using Azure DevOps Services, provide your full Azure DevOps organization URL. For example,https://dev.azure.com/your_organization.
  • Personal Access Token: An Azure DevOps user account is used to decorate Pull Requests. We recommend using a dedicated Azure DevOps account with Administrator permissions. You need apersonal access tokenfrom this account with the scope authorized forCode > Read & Writefor the repositories that will be analyzed. Administrators can encrypt this token atAdministration > Configuration > Encryption. See theSettings Encryptionsection of theSecuritypage for more information. This personal access token is used to report your quality gate status to your pull requests. You'll be asked for another personal access token for importing projects in the following section.

Adding a personal access token for importing repositories

After setting your global settings, you can add a project from Azure DevOps by clicking theAdd projectbutton in the upper-right corner of theProjectshomepage and selectingAzure DevOps.

Then, you'll be asked to provide a personal access token withCode (Read & Write)scope so SonarQube can access and list your Azure DevOps projects. This token will be stored in SonarQube and can be revoked at any time in Azure DevOps.

After saving your personal access token, you'll see a list of your Azure DevOps projects that can beset upand added to SonarQube. Setting up your projects this way also defines your project settings for pull request decoration.

For information on analyzing your projects with Azure Pipelines, see theAnalyzing projects with Azure Pipelinessection below.

Analyzing projects with Azure Pipelines

SonarScanners running in Azure Pipelines jobs can automatically detect branches or pull requests being built, so you don't need to specifically pass them as parameters to the scanner.

Automatic branch detection is only available when using Git.

Installing your extension

From Visual Studio Marketplace, install theSonarQube extensionby clicking theGet it freebutton.

Azure DevOps server - build agents

If you are usingMicrosoft-hosted build agentsthen there is nothing else to install. The extension will work with all of the hosted agents (Windows, Linux, and macOS).

If you are self-hosting the build agents, make sure you have at least the minimum SonarQube-supported version of Java installed.

Adding a new SonarQube service endpoint

After installing your extension, you need to declare your SonarQube server as a service endpoint in your Azure DevOps project settings:

  1. In Azure DevOps, go toProject Settings > Service connections.
  2. SelectNew service connectionand then selectSonarQubefrom the service connection list.
  3. Enter your SonarQubeServer URL, anAuthentication Token, and a memorableService connection name. Then, selectSave to save your connection.

Configuring branch analysis

After adding your SonarQube service endpoint, you'll need to configure branch analysis. You'll use the following tasks in your build definitions to analyze your projects:

  • Prepare analysis configuration: This task configures the required settings before executing the build.
  • Run code analysis (Not used in Maven or Gradle projects): This task executes the analysis of source code.
  • Publish quality gate result: This task displays the quality gate status in the build summary letting you know if your code meets quality standards for production. This task may increase your build time as your pipeline has to wait for SonarQube to process the analysis report. It is highly recommended but optional.

Select your build technology below to expand the instructions for configuring branch analysis and to see an example.ymlfile.

Gradle or Maven
  1. In Azure DevOps, create or edit aBuild Pipeline, and add a newPrepare Analysis Configurationtaskbeforeyour build task:
    • Select the SonarQube server endpoint you created in theAdding a new SonarQube Service Endpointsection.
    • UnderChoose a way to run the analysis, selectIntegrate with Maven or Gradle.
    • Expand theAdvanced sectionand replace theAdditional Propertieswith the following snippet:
      • # Additional properties that will be passed to the scanner,
        # Put one key=value per line, example:
        # sonar.exclusions=**/*.bin
        sonar.projectKey=YourProjectKey
  2. Edit or add a new Maven or Gradle task
    • UnderCode Analysis, checkRun SonarQube or SonarCloud Analysis.
  3. Add a newPublish quality gate Resulton your build pipeline summary.
  4. Under theTriggerstab of your pipeline, selectEnable continuous integration, and choose all of the branches for which you want SonarQube analysis to run automatically.
  5. Save your pipeline.

.yml example:

trigger:- master # or the name of your main branch- feature/*steps:# Prepare Analysis Configuration task- task: SonarQubePrepare@5 inputs: SonarQube: 'YourSonarqubeServerEndpoint' scannerMode: 'Other' extraProperties: 'sonar.projectKey=YourProjectKey'# Publish Quality Gate Result task- task: SonarQubePublish@5 inputs: pollingTimeoutSec: '300'
.NET
  1. In Azure DevOps, create or edit aBuild Pipeline, and add a newPrepare Analysis Configurationtaskbeforeyour build task:
    • Select the SonarQube server endpoint you created in theAdding a new SonarQube Service Endpointsection.
    • UnderChoose a way to run the analysis, selectIntegrate with MSBuild.
    • In theproject keyfield, enter your project key.
  2. Add a newRun Code Analysistaskafteryour build task.
  3. Add a newPublish quality gate Resulton your build pipeline summary.
  4. Under theTriggerstab of your pipeline, selectEnable continuous integration, and choose all of the branches for which you want SonarQube analysis to run automatically.
  5. Save your pipeline.

.yml example:

trigger:- master # or the name of your main branch- feature/*steps:# Prepare Analysis Configuration task- task: SonarQubePrepare@5 inputs: SonarQube: 'YourSonarqubeServerEndpoint' scannerMode: 'MSBuild' projectKey: 'YourProjectKey'# Dotnet build task- task: DotNetCoreCLI@2 displayName: 'dotnet build'# Run Code Analysis task- task: SonarQubeAnalyze@5# Publish Quality Gate Result task- task: SonarQubePublish@5 inputs: pollingTimeoutSec: '300'
Other (JavaScript, TypeScript, Go, Python, PHP, etc.)
  1. In Azure DevOps, create or edit aBuild Pipeline, and add a newPrepare Analysis Configurationtaskbeforeyour build task:
    • Select the SonarQube server endpoint you created in theAdding a new SonarQube Service Endpointsection.
    • UnderChoose a way to run the analysis, selectUse standalone scanner.
    • Select theManually provide configurationmode.
    • In theProject Keyfield, enter your project key.
  2. Add a newRun Code Analysistaskafteryour build task.
  3. Add a newPublish quality gate Resulton your build pipeline summary.
  4. Under theTriggerstab of your pipeline, selectEnable continuous integration, and choose all of the branches for which you want SonarQube analysis to run automatically.
  5. Save your pipeline.

.yml example:

trigger:- master # or the name of your main branch- feature/*steps:# Prepare Analysis Configuration task- task: SonarQubePrepare@5 inputs: SonarQube: 'YourSonarqubeServerEndpoint' scannerMode: 'CLI' configMode: 'manual' cliProjectKey: 'YourProjectKey'# Run Code Analysis task- task: SonarQubeAnalyze@5# Publish Quality Gate Result task- task: SonarQubePublish@5 inputs: pollingTimeoutSec: '300'
Analyzing a C/C++/Obj-C project

In your build pipeline, insert the following steps in the order they appear here. These steps can be interweaved with other steps of your build as long as the following order is followed. All steps have to be executed on the same agent.

  1. Make theBuild Wrapperavailable on the build agent: Download and unzip theBuild Wrapperon the build agent (see thePrerequisitessection of theC/C++/Objective-Cpage). The archive to download and decompress depends on the platform of the host. Please, note that:
    • For the Microsoft-hosted build agent, you will need to make theBuild Wrapperavailable on the build agent every time (as part of the build pipeline). To accomplish this, you can add aPowerShell scripttask by inserting aCommand Linetask. Example of PowerShell commands on a Windows host:
      Invoke-WebRequest -Uri '<sonarqube_url>/static/cpp/build-wrapper-win-x86.zip' -OutFile 'build-wrapper.zip'
      Expand-Archive -Path 'build-wrapper.zip' -DestinationPath '.'
      Example of bash commands on a Linux host:
      curl '<sonarqube_url>/static/cpp/build-wrapper-linux-x86.zip' --output build-wrapper.zip
      unzip build-wrapper.zip
      Example of bash commands on a macos host: curl '<sonarqube_url>/static/cpp/build-wrapper-macosx-x86.zip' --output build-wrapper.zip
      unzip build-wrapper.zip
    • For the self-hosted build agent you can either download it every time (using the same scripts) or only once (as part of manual setup of build agent).
  2. Add aPrepare analysis Configurationtask and configure it as follow: Click on thePrepare analysis on SonarQubetask to configure it:
    • Select theSonarQube Server.
    • InChoose the way to run the analysis, selectstandalone scanner(even if you build withVisual Studio/MSBuild).
    • InAdditional Propertiesin theAdvancedsection, add the propertysonar.cfamily.build-wrapper-outputwith, as its value, the output directory to which the Build Wrapper should write its results:sonar.cfamily.build-wrapper-output=<output directory>
  3. Add acommand linetask to run your build. For the analysis to happen, your build has to be run through a command line so that it can be wrapped-up by the build-wrapper. To do so,
    • RunBuild Wrapperexecutable. Pass in as the arguments:
      1. The output directory configured in the previous task and
      2. The command that runs a clean build of your project (not an incremental build). Example of PowerShell commands on a Windows host with anMSBuildbuild:
        build-wrapper-win-x86/build-wrapper-win-x86-64.exe --out-dir <output directory> MSBuild.exe /t:Rebuild
        Example of bash commands on a Linux host with amakebuild:
        build-wrapper-linux-x86/build-wrapper-linux-x86-64 --out-dir <output directory> make clean all
        Example of bash commands on a macos host with axcodebuildbuild:
        build-wrapper-macosx-x86/build-wrapper-macos-x86 --out-dir <output directory> xcodebuild -project myproject.xcodeproj -configuration Release clean build
  4. Add aRun code analysistask to run the code analysis and make the results available to SonarQube. Consider running this task right after the previous one as the build environment should not be significantly altered before running the analysis.
  5. Add aPublish quality gate resulttask.

.yml example:

trigger:- master # or the name of your main branch- feature/*steps:# Make Build Wrapper available- task: Bash@3 displayName: Download Build Wrapper inputs: targetType: inline script: | curl '<SONARQUBE_HOST>/static/cpp/build-wrapper-linux-x86.zip' --output build-wrapper.zip unzip build-wrapper.zip# Prepare Analysis Configuration task- task: SonarQubePrepare@5 inputs: SonarQube: 'YourSonarqubeServerEndpoint' scannerMode: 'CLI' configMode: 'manual' cliProjectKey: 'YourProjectKey' extraProperties: "sonar.cfamily.build-wrapper-output=bw_output"# Command Line task to run your build.- task: Bash@3 displayName: Bash Script inputs: targetType: inline script: > ./build-wrapper-linux-x86/build-wrapper-linux-x86-64 --out-dir bw_output <Your build command># Run Code Analysis task- task: SonarQubeAnalyze@5# Publish Quality Gate Result task- task: SonarQubePublish@5 inputs: pollingTimeoutSec: '300'

You must choose the correct image and adapt the correct wrapper depending on the agent OS. See the example above to configure the correct wrapper.

Running your pipeline

Commit and push your code to trigger the pipeline execution and SonarQube analysis. New pushes on your branches (and pull requests if you set up pull request analysis) trigger a new analysis in SonarQube.

Maintaining pull request code quality and security

Using pull requests allows you to prevent unsafe or substandard code from being merged with your main branch. The following branch policies can help you maintain your code quality and safety by analyzing code and identifying issues in all of the pull requests on your project. These policies are optional, but they're highly recommended so you can quickly track, identify, and remediate issues in your code.

Ensuring your pull requests are automatically analyzed

Ensure all of your pull requests get automatically analyzed by adding abuild validation branch policyon the target branch.

Preventing pull request merges when the quality gate fails

Prevent the merge of pull requests with a failed quality gate by adding aSonarQube/quality gatestatus check branch policyon the target branch.

Projects configured as part of a mono repository cannot use this status check branch policy to prevent pull request merges.

Watch thisvideofor a quick overview of how to prevent pull requests from being merged when they are failing the quality gate.

Reporting your quality gate status in Azure DevOps

After you've set up SonarQube to import your Azure DevOps repositories as shown in theImporting your Azure DevOps repositories into SonarQubeabove, SonarQube can report your quality gate status and analysis metrics directly to your Azure DevOps pull requests.

To do this, add a project from Azure DevOps by clicking theAdd projectbutton in the upper-right corner of theProjectshomepage and selectAzure DevOpsfrom the drop-down menu.

Then, follow the steps in SonarQube to analyze your project. SonarQube automatically sets the project settings required to show your quality gate in your pull requests.

To report your quality gate status in your pull requests, a SonarQube analysis needs to be run on your code. You can find the additional parameters required for pull request analysis on thePull request analysispage.

If you're creating your projects manually or adding quality gate reporting to an existing project, see the following section.

Reporting your quality gate status in manually created or existing projects

SonarQube can also report your quality gate status to Azure DevOps pull requests for existing and manually-created projects. After setting your global settings as shown in theImporting your Azure DevOps repositories into SonarQubesection above, set the following project settings atProject Settings > General Settings > DevOps Platform Integration:

  • Project name
  • Repository name

Advanced configuration

Reporting your quality gate status on pull requests in a mono repository

Reporting quality gate statuses to pull requests in a mono repository setup is supported starting inEnterprise Edition.

In a mono repository setup, multiple SonarQube projects, each corresponding to a separate project within the mono repository, are all bound to the same Azure DevOps repository. You'll need to set up each SonarQube project that's part of a mono repository to report your quality gate status.

You need to set up projects that are part of a mono repository manually as shown in theReporting your quality gate status in manually created or existing projectsection above. You also need to set theEnable mono repository supportsetting to true atProject Settings > General Settings > DevOps Platform Integration.

After setting your project settings, ensure the correct project is being analyzed by adjusting the Analysis Scope and pass your project names to the scanner. See the following sections for more information.

Ensuring the correct project is analyzed

You need to adjust the analysis scope to make sure SonarQube doesn't analyze code from other projects in your mono repository. To do this set up aSource File Inclusionfor your project atProject Settings > Analysis Scopewith a pattern that will only include files from the appropriate folder. For example, adding./MyFolderName/**/*to your inclusions would only add code in theMyFolderNamefolder to your analysis. SeeNarrowing the Focusfor more information on setting your analysis scope.

Passing project names to the scanner

Because of the nature of a mono repository, SonarQube scanners might read all project names of your mono repository as identical. To avoid having multiple projects with the same name, you need to pass thesonar.projectNameparameter to the scanner. For example, if you're using the Maven scanner, you would passmvn sonar:sonar -Dsonar.projectName=YourProjectName.

Configuring multiple DevOps platform instances

SonarQube can report your quality gate status to multiple DevOps platform instances. To do this, you need to create a configuration for each DevOps Platform instance and assign that configuration to the appropriate projects.

  • As part ofDeveloper Edition, you can create one configuration for each DevOps platform.
  • Starting inEnterprise Edition, you can create multiple configurations for each DevOps platform. If you have multiple configurations of the same DevOps Platform connected to SonarQube, you have to create projects manually.
Linking issues

When adding a quality gate status to your pull requests, individual issues will be linked to their SonarQube counterparts automatically. For this to work correctly, go to Administration > Configuration > General Settings > General > General to set the instance'sServer base URL. Otherwise, the links will default tolocalhost.

FAQ

Missing build agent capability

Previously, there was a Microsoft bug related to having a Windows Build Agent with a non-oracle Java version installed on it; the agent failed to detect a needed capability for the SonarQube Azure DevOps plugin. It is reported that this bug is now solved.

If you still have problems and are sure that thejavaexecutable is available in thePATHenvironment variable, you can add the missing capability manually by going toyour build agent > capabilities > user capabilities > add capability. Here, you can add the key, value pair java, and null which should allow the SonarQube plugin to be scheduled on that build agent.

Interaction detailsbetween SonarQube and Azure

When you run a Sonar analysis for a pull request, each Sonar issue will be a comment on the Azure DevOps pull request. If the AzureDevOps instance is configured correctly and you set an issue in SonarQube to 'resolved', the AzureDevOps Pull Request Comment will automatically be resolved. Likewise, when you fix an issue in the code and run the analysis build another time, the issue will be resolved in Sonar and deleted in AzureDevOps.

Azure DevOps integration (2024)

FAQs

How hard is Azure DevOps exam? ›

The level of difficulty of the AZ-400 exam is considered to be intermediate to advanced. It requires a strong understanding of Azure DevOps concepts, tools, and practices, as well as hands-on experience with implementing DevOps processes.

What is the passing score for Azure DevOps? ›

Passing score: 700. Learn more about exam scores.

How Azure DevOps can be used for integrations? ›

To set up the integration, go to your Integrations page and click “Begin Azure DevOps Integration”. You will need to provide your Azure DevOps URL as well as a Personal Access Token in order to configure the integration. To generate a Personal Access Token: Go to your Azure DevOps security page and click “New Token”.

How many questions are on Azure DevOps certification? ›

The total number of questions are between 40–60, depending on what Microsoft gives you. This means you'll have approximately 2–3 minutes per question.

What is the most difficult Azure exam? ›

The Azure Solutions Architect Expert and Fabric Analytics Engineer Associate certifications are known as some of the toughest Microsoft certifications to get because of how much you need to know and be able to do. For the Azure Solutions Architect Expert, it's tough because you need a wide range of skills.

How many times can you fail Azure exam? ›

Exam Retake Policy

First of all, if a candidate fails on the first attempt, he/she has to wait 24 hours before retaking the exam. Secondly, if he/she fails on the 2nd attempt, then they should wait for 14 days to retake the exam. A candidate can take a maximum of 5 retakes in a year.

What is the salary of Azure DevOps engineer certification? ›

Microsoft Certified Devops Engineer Expert Salary
Annual SalaryHourly Wage
Top Earners$164,500$79
75th Percentile$144,500$69
Average$125,908$61
25th Percentile$105,500$51

What is the average salary of Azure DevOps? ›

Azure DevOps Engineer salary in India ranges between ₹ 4.0 Lakhs to ₹ 12.0 Lakhs with an average annual salary of ₹ 7.4 Lakhs.

Is Azure DevOps hard to learn? ›

Becoming an Azure DevOps Engineer with no experience can be a steep climb, but it's not out of reach. Start by learning the fundamentals of DevOps practices, Azure services, and automation tools through online courses and certifications like the Azure DevOps Solutions Certification.

Is Azure DevOps widely used? ›

Microsoft's Azure DevOps is still extremely widely adopted and utilized by a huge number of companies, teams, and individual developers from all around the world. Azure DevOps provides a powerful and comprehensive set of software services that together cover the entire software development life cycle.

Can you integrate Azure DevOps with GitHub? ›

Azure Boards and Azure DevOps Services support integration with GitHub.com and GitHub Enterprise Server repositories. If you want to connect from an on-premises Azure DevOps Server, see Connect Azure DevOps Server to GitHub Enterprise Server.

Can we automate Azure DevOps? ›

Implement automation with Azure DevOps. Create and manage runbooks. Create webhooks. Create and run a workflow runbook and PowerShell workflows.

How many days it will take to complete Azure DevOps? ›

3 months is a short duration to master DevOps but if you are sincere about it, you can achieve it.

How much coding is required for Azure DevOps? ›

As much as required for your job. Every “DevOps” role is different. Enough to be able to understand what is going on in application code with some research. Enough to be able to put together Infrastructure as code and automation projects.

Is DevOps certification worth it? ›

A DevOps certification could enhance your resume, boost your salary potential, validate your expertise in development cycles, and set you up for more advanced career opportunities. DevOps positions consistently rank among the highest paying in the technical field.

Is Azure DevOps difficult? ›

Is DevOps Tough for Beginners? DevOps can be challenging for beginners due to its interdisciplinary nature, requiring knowledge and skills in software development, IT operations, and often, security (a practice known as DevSecOps).

Is Azure exam easier than AWS? ›

It will also depend on the technology being used. Suppose, you are working on tools and technologies that are based on Microsoft; then you should go for Azure. Is Azure easier than AWS? AWS is easy to learn in comparison with Azure since AWS is more simple and has an effective flow of documentation.

Is DevOps certification hard? ›

How difficult is AWS Certified DevOps Engineer Professional Exam? AWS Certified DevOps Engineer Professional Exam is one of the difficult AWS certifications one can take to elevate one career. The exam covers various scenario-based questions with long descriptions that make it difficult to comprehend the question.

Is Azure DevOps easy to learn? ›

Getting started to learn DevOps is easy. As with any other endeavor, it all starts with the first step. And in this first step, what you need to focus on are just basics and fundamentals.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Merrill Bechtelar CPA

Last Updated:

Views: 6335

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.