--- id: wiki-2026-0508-sonarqube title: SonarQube category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Sonar, SonarQube Server, Sonar Cloud, SonarLint] duplicate_of: none source_trust_level: A confidence_score: 0.95 verification_status: applied tags: [code-quality, sast, static-analysis, devsecops, sonarqube] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: multi framework: SonarQube Server 10.x / SonarCloud --- # SonarQube ## 매 한 줄 > **"매 Clean Code 매 quality gate 의 enforce — bug + vuln + smell + hotspot"**. SonarQube 매 SonarSource 의 self-hosted/cloud SAST + code quality platform, 30+ language support, 매 PR-decoration + branch-analysis. 매 2026 매 SonarQube Server 10.6 LTA + SonarCloud + AI-fix (CodeFix) integration. ## 매 핵심 ### 매 4 issue type 1. **Bug**: 매 logical defect (NPE, infinite loop). 2. **Vulnerability**: 매 security flaw (SQL injection, XSS). 3. **Code Smell**: 매 maintainability (cyclomatic, duplication). 4. **Security Hotspot**: 매 manual-review-required (sensitive context, e.g., crypto usage). ### 매 Clean Code attributes (2024+) - **Consistent**, **Intentional**, **Adaptable**, **Responsible** (4 + 16 sub-attrs). - 매 legacy A-E rating 매 still present 의 backward-compat. - 매 issue 매 Clean Code attribute 매 always tag. ### 매 Quality Gate - 매 PR/branch 매 pass/fail criteria. - Default ("Sonar way"): 매 new code 매 0 bug, 0 vuln, coverage ≥ 80%, duplication ≤ 3%. - 매 "Clean as You Code" 매 philosophy: 매 new code 만 strict, 매 legacy 의 grandfather. ### 매 deployment - **Community Build** (free, OSS): 매 limited rules + no branch/PR analysis. - **Developer / Enterprise / Data Center** (paid). - **SonarCloud**: SaaS. 매 OSS public repo 매 free. - **SonarLint**: 매 IDE plugin (VSCode, IntelliJ, Cursor 2026 native). ### 매 응용 1. CI quality gate. 2. PR decoration (GitHub/GitLab/Bitbucket/Azure DevOps). 3. Compliance reporting (OWASP, CWE, PCI DSS). 4. Tech-debt SQALE rating. ## 💻 패턴 ### sonar-project.properties ```properties sonar.projectKey=acme:web-api sonar.projectName=ACME Web API sonar.projectVersion=2.4.0 sonar.sources=src sonar.tests=tests sonar.exclusions=**/generated/**,**/node_modules/** sonar.coverage.exclusions=**/*.test.ts,**/migrations/** sonar.javascript.lcov.reportPaths=coverage/lcov.info sonar.python.coverage.reportPaths=coverage.xml sonar.qualitygate.wait=true ``` ### GitHub Actions ```yaml # .github/workflows/sonar.yml name: SonarQube on: push: { branches: [main] } pull_request: { types: [opened, synchronize, reopened] } jobs: sonar: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } # full history for blame - uses: actions/setup-node@v4 with: { node-version: 20 } - run: npm ci && npm test -- --coverage - uses: SonarSource/sonarqube-scan-action@v3 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} ``` ### Maven scan ```bash mvn verify sonar:sonar \ -Dsonar.projectKey=acme:api \ -Dsonar.host.url=https://sonar.acme.com \ -Dsonar.token=$SONAR_TOKEN \ -Dsonar.qualitygate.wait=true ``` ### Docker self-host (SonarQube Server) ```yaml # docker-compose.yml services: sonarqube: image: sonarqube:10.6-community ports: ["9000:9000"] environment: - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar - SONAR_JDBC_USERNAME=sonar - SONAR_JDBC_PASSWORD=sonar volumes: - sonar_data:/opt/sonarqube/data - sonar_extensions:/opt/sonarqube/extensions depends_on: [db] db: image: postgres:16 environment: - POSTGRES_USER=sonar - POSTGRES_PASSWORD=sonar - POSTGRES_DB=sonar volumes: [pg_data:/var/lib/postgresql/data] volumes: sonar_data: {} sonar_extensions: {} pg_data: {} ``` ### Custom Quality Profile (API) ```bash # Activate rule curl -u $TOKEN: -X POST \ "$SONAR_URL/api/qualityprofiles/activate_rule" \ --data-urlencode "key=AYxxx" \ --data-urlencode "rule=javascript:S6418" \ --data-urlencode "severity=CRITICAL" # Set as default curl -u $TOKEN: -X POST \ "$SONAR_URL/api/qualityprofiles/set_default" \ --data-urlencode "language=js" \ --data-urlencode "qualityProfile=Acme JS Strict" ``` ### Quality Gate condition (API) ```bash curl -u $TOKEN: -X POST \ "$SONAR_URL/api/qualitygates/create_condition" \ -d "gateId=1&metric=new_coverage&op=LT&error=85" ``` ### Programmatic gate check ```python # check_gate.py import requests, sys, os r = requests.get( f"{os.environ['SONAR_URL']}/api/qualitygates/project_status", params={"projectKey": "acme:api", "branch": "main"}, auth=(os.environ['SONAR_TOKEN'], ''), ) status = r.json()["projectStatus"]["status"] print(f"Quality Gate: {status}") sys.exit(0 if status == "OK" else 1) ``` ## 매 결정 기준 | 상황 | Edition | |---|---| | OSS public repo | SonarCloud (free) | | Self-host, no PR analysis | Community Build | | Mid-size team, PR decoration | Developer Edition | | Enterprise, multi-branch, security reports | Enterprise Edition | | Compliance / data-residency | Data Center / self-host | **기본값**: SonarCloud 매 OSS, Developer Edition 매 commercial team. ## 🔗 Graph - 부모: [[Static-Analysis]] · [[SAST]] · [[Code-Quality]] - 변형: [[CodeQL]] · [[Semgrep]] - 응용: [[Quality-Gate]] · [[CI-CD]] · [[Tech-Debt]] - Adjacent: [[SCA_Fundamentals|SCA]] · [[OWASP-Top-10]] · [[Clean-Code]] ## 🤖 LLM 활용 **언제**: 매 issue triage summary, 매 false-positive review, 매 custom rule draft (Sonar Way deviation), 매 SonarLint + Cursor inline-fix. **언제 X**: 매 deterministic rule eval (use scanner), 매 production gate decision (human approve). ## ❌ 안티패턴 - **All-code strict**: 매 legacy 매 100k issue 의 overwhelm. 매 "Clean as You Code" 의 use. - **Coverage-only gate**: 매 cov 80% 매 logic untested. 매 mutation testing 의 add. - **Ignore hotspots**: 매 Security Hotspot 매 review 매 skip. 매 actual vuln 매 hidden. - **No blame/SCM**: 매 issue ownership 매 unknown. 매 SCM integration 매 must. - **Self-host no upgrade**: 매 LTA 매 missed → 매 stale rules + CVE on Sonar itself. ## 🧪 검증 / 중복 - Verified (SonarSource docs 10.6 LTA; Clean Code taxonomy 2024; OWASP Top 10 2021 mapping). - Canonical for SonarQube topic. - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — full canonical content (Clean Code + Quality Gate + scanner patterns) |