Static code analysis with SonarQube

Static code analysis with SonarQubeStatic code analysis is amazing when it comes to finding potential security vulnerabilities, bugs, and code smell. I tried it out using SonarQube, a popular open-source tool for static code analysis.
Categoriesc#.netcode qualitystatic code analysis
Hire me on Upwork!

What is static code analysis?

Static code analysis is a process where checkers like SonarCube checks the source code itself for potential errors and pitfalls. Checkers are navigating through the code flow and checking against predefined rules.

Static code analysis is the fundament to build a stable testing pyramid on top. With static code analysis you can cover the most common mistakes before even writing an test for it just by letting those tools look at your code.

Why should I perform static code analysis?

Static code analysis helps you to ensure your codes Quality. This could be either at writing time with Linters like sonarLint or also ESLint for JavaScript or it could be a process you do at a specific time same as running your unit tests. I like to have simple linters like style cop and ESLint in place when writing the code and run a more detailed analysis before I merge the feature. This would be a perfect use case for SonarCube I describe in the next sections.

Doing static code analysis will help you to find security Vuerabilties before hackers do.

Static code analysis can help you to find Bugs before they occur by analyzing your code and its execution flow. These could be for example values that are null for some execution paths triggering exceptions. Another great thing with static code analysis is that it would help you identify code smells to make your code more readable and duplicate code which makes it harder to maintain.

What is SonarQube?

SonarCube is a static code analysis tool available in 24+ languages. It is going through your codebase and telling you potential pitfalls and errors that do not lead to compile errors but could lead to errors when running the application. SonarQube has also a huge library of potential security issues made by security experts and build in lots of code quality checkers like Roslyn.

Why should I use SonarQube?

SonarCube and sonarLint can help you to find bugs before they occur. SonarQube is an Open source program to perform static analysis on your code.

It could be either run locally, in a Docker image, or hosted in your CI. SonarQube provides you with nice Dashboards and reports to get an overview of your issues. They directly show you the code where they found your Issue, a description of why this is an issue, and give a time estimate on fixing it.

SonarQube is available to analyze 24+ different programming languages!

JavaScript, C#, Java, Python, and many more to name a few of them,

It can help you to improve your coding skills in general.

SonarQube also supports OWASP Top 10, to find and fix the top 10 most common security issues. So it could help you to ship more secure applications without having a security expert on your team.

How to Install SonarQube

To Install SonarQube you have two possibilities.

  1. Download the zip and run it locally
  2. Run inside Docker I prefer the way number two since Docker makes it way easier to use anything and kind of abstracts away windows-related headaches and gives the application the perfect environment to run in.

Install the sonarQube docker image

To get the sonarQube image simply run the following command in your favorite command line.

docker pull sonarqube

Running the SonarQube docker image

To run the sonarQube docker image run the following command:

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

then visit http://localhost:9000. Make sure to wait some seconds till the front end appears.

How to set up a SonarQube Project?

Next, it is about importing your Projects. To keep everything simple I will start here with the manual installation. I will write my own article for GitHub integrations. To perform the scan on your application first install a sonar scanner. The wizard will help you with that. Everything is pretty straightforward. When you've set up everything un the following commands:

dotnet sonarscanner begin /k:"<yourProject<" /"http://localhost:9000"  /d:sonar.login="<yourKey>"
dotnet build
dotnet sonarscanner end /d:sonar.login="<your key>"

When everything has been executed you will find yourself in the SonarQube Dashboard.

The SonarQube Dashboard

SonarQube dashboard

When SonarQube has finished there will show up a line for it in the dashboard.

I did this for a JavaScript project (first) and my .net API (second).

In your dashboard you have a nice overview of the data sonarQube is collecting. In the next chapter, I will go more into detail about those metrics.

Understanding SonarQube metrics

When clicking on one of the projects inside our Dashboard, we will get Into one of the projects to further investigate the collected data.

What are Bugs?

This one is pretty self-explaining :). This number is indicating the number of potential bugs your application has. A Bug is every pitfall that could lead to a problem.

So for my application, this would be a lot of bad evaluations that lead to not executed code. When looking closer into the issue I found out that all of these happened during refactoring a feature and not doing this job that well.

What I really like about sonarQube is that there is always explained why this is an issue, so they have good explanations of what's wrong here instead of just saying this is wrong. Such explanations could also make you a better programmer.

The other thing I like is the estimated time to fix this issue. All of this estimated time will then sum up to the dev Debt.

What are Vulnerabilities?

The number of security issues SonarQube found in your code.

This would be for example an SQL Injection, the possibility to do cross-site scripting, or sensitive cookies stored in a bad way. To see the full list visit SonarQubes Documentation.

What are SonarQubeSecurity hotspots?

The sonarQube security hotspots show you where you can be easily affected by attacks. They will, for example, mark endpoints with a disabled request size limit, since then you are a beautiful goal for DDoS attacks! (So don't do that!). They also mark stupid (sorry but it is really stupid) things like setting cors * headers.

What is SonarQube maintainability?

Maintainability is indicating unreadable/bad code. This could be using outdated syntax, like here:

SonarQube Roslyn Issue

or other Roslyn Issues. But they could also be found when using Roslyn.

SonarQube also checks for non-Roslyn Issues, like missing implementation for partial methods.

SonarQube missing implementation

What is SonarQube's technical debt?

The technical Debt metric is the time it takes to fix all those code smells.

Other metrics

SonarQube also provides you with other useful metrics like duplicated code, or test coverage.

I just did not manage to get test coverage work for C#. If you do, I would love to hear how in my contact section.


SonarQube is an amazing tool to perform static code analysis. They collect lots of useful information about errors or code smells and explain every issue to make you a better programmer and improve your code's quality.

Setting up SonarQube inside docker is a nice and easy way to get it up and running and you can easily push this docker image to AWS or Azure to make it Accessible for your CI.

You can also use sonarLint as IDE extension to check your code while coding.

All in all I would defiatley recommend doing static code analysis as another layer of QA, your users would be thankful for it!

I hope I could provide you with some value with this article. If you want to support me and the work I´m doing you can buy me a coffee. I will donate half of it to Ukraine.

Happy, Analyzing,


Recommended Products for you
recommended for you