Introduction to SonarQube and Its Installation

In today’s fast-paced software development world, delivering secure, reliable, and maintainable code is critical. SonarQube is one of the most powerful tools used in DevOps pipelines to continuously inspect code quality and detect bugs, code smells, and security vulnerabilities.

1. What is SonarQube?

SonarQube is an open-source platform developed by SonarSource. It is designed to analyze and monitor code quality automatically, It performs static code analysis for:

  • Bugs: These are actual errors in your code which can cause problems while running the application. For example, writing the wrong condition or missing a bracket.

  • Code Smells: These are not errors but bad practices. The code may work, but it is written in a complicated or messy way, which makes it hard to understand or maintain.

  • Vulnerabilities: These are security issues in your code. Hackers can use these weak points to attack your system. For example, hardcoding a password or not validating user input.

  • Duplications: When the same piece of code is repeated in many places, it becomes difficult to manage. Changing in one place means you have to change it everywhere.

  • Code Coverage: This checks how much of your code is tested by automated tests. More coverage means your code is safer because most parts are tested. Less coverage means some bugs may not be caught.

Backend & Access

  • Default Port: 9000

  • Built-in Database (for testing): H2

  • Supported DBs: PostgreSQL, MySQL, Oracle, MS SQL Server

2. What Does SonarQube Do?

SonarQube is a tool that automatically checks the quality of your source code and helps you fix problems early. It runs during builds and gives clear feedback.

1. Scans Your Code Automatically

When you build your project (using tools like Maven, Gradle, Jenkins, etc.), SonarQube scans your code line by line and checks for issues.

2. Detects Quality Issues

SonarQube highlights problems like:

  • Unused variables

  • Wrong logic or conditions

  • Duplicate code

  • Complex methods

  • Missing or poor comments

  • Unfollowed coding standards

  • Poor exception handling

  • Potential bugs
    This helps you fix things before production.

3. Enforces Coding Standards

SonarQube checks if you're following standard Java coding rules or your custom team rules — like naming conventions, indentation, etc.

4. Checks for Unit Test Coverage

It checks how much of your code is tested with unit tests and gives you the percentage. You can set a rule like:
"At least 80% of code should be covered by tests."

5. Gives Code Ratings (A to E)

SonarQube gives letter grades for:

  • Reliability – How many bugs?

  • Security – Are there any vulnerabilities?

  • Maintainability – How many code smells (bad coding practices)?

  • Coverage – Is the code well tested?

  • Duplications – Are there repeated code blocks?

6. Shows a Visual Dashboard

It gives a dashboard with:

  • Graphs

  • Charts

  • Issue lists

  • Trends over time
    So you can track and improve your code regularly.

7. Quality Gates Block Bad Code

You can set rules like:

  • No critical bugs

  • Coverage must be > 80%

  • Duplications < 5%
    If any rule fails, SonarQube can block the build.

8. Shows Time to Fix Each Issue

SonarQube tells you how much time it may take to fix each issue.
For example:

  • Rename variable: 2 minutes

  • Fix complex logic: 10 minutes

  • This helps you plan better and fix faster.

3. Similar Tools to SonarQube

  • SonarQube – Checks code quality, bugs, security issues, and duplication during development.

  • Checkmarx – Finds security vulnerabilities directly in your source code.

  • Coverity – Detects bugs and defects early, especially in large or complex codebases.

  • Fortify SCA – Scans code for security flaws and helps meet compliance standards.

  • Veracode – Offers cloud-based tools to test app security across your entire software

4. Installation Steps (RHEL / EC2)

SonarQube Prerequisites

1. Hardware Requirements:

  • CPU: Modern multi-core processor

  • RAM: Minimum 2GB (4GB recommended) – Go with t2.medium instance

2. Software Requirements:

  • Operating System:

    • Linux (preferred)

    • Windows

    • macOS

1. Connect to EC2

ssh -i your-key.pem ec2-user@<your-ec2-public-ip>

2. Switch to Root

sudo su -

3. Fix Time Sync (Avoid GPG Errors)

  • To fix time sync issues and avoid GPG errors during package operations, enable NTP, set the correct timezone, and restart time sync services.
timedatectl set-ntp true
timedatectl set-timezone UTC
systemctl restart chronyd || systemctl restart systemd-timesyncd
timedatectl   # Confirm NTP is synchronized

4. Install Java 17 (Amazon Corretto)

  • Amazon Corretto 17 (Java 17) on an RHEL-based system (e.g., Red Hat, CentOS)
rpm --import https://yum.corretto.aws/corretto.key
curl -Lo /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo
yum install -y java-17-amazon-corretto-devel --nogpgcheck

Verify Installation

java --version

5. Set Required Kernel Parameters

sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf

6. Install Required Packages

yum install wget unzip -y

7. Download and Extract SonarQube

  • Don't Just Follow Any Guide Online — Avoid Hardcoded Links

  • Note: Never download SonarQube from random blogs, unofficial sources, or blindly use hardcoded links.

  • Always visit the official website: https://www.sonarsource.com/products/sonarqube/downloads/

  • Scroll and view historical versions

  • Choose your desired version ,click on the Documentation link beside the version

  • In the docs, you'll find: Java version compatibility (e.g., "Supports only Java 17")

  • Right-click the download button : Select “Copy Link”

  • Navigates to the /opt directory, a common location for installing third-party applications.
cd /opt
sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.9.8.100196.zip
  • Downloads the SonarQube 9.9.8 ZIP archive from the official SonarSource distribution site.

sudo unzip sonarqube-9.9.8.100196.zip
  • Extracts the contents of the ZIP file into /opt.

sudo mv sonarqube-9.9.8.100196 sonarqube
  • Renames the extracted folder to a simpler name: sonarqube, for easier reference in scripts and paths.

8. Create a Dedicated User

useradd sonar

  • Creates a new Linux user named sonar .

2. Allow sonar user to run commands as root (without password)

visudo

  • Opens the sudoers file safely for editing.Add this line
sonar   ALL=(ALL)       NOPASSWD: ALL

  • Allows the sonar user to run any command as root without entering a password.

3. Give ownership of Sonarqube folder to sonar user

chown -R sonar:sonar /opt/sonarqube

  • Changes the ownership of the /opt/sonarqube directory (and all files inside) to user sonar.

4. Set proper permissions on SonarQube folder

chmod -R 775 /opt/sonarqube

  • Gives read, write, and execute permissions to the owner and group, and read + execute to others.

9. Configure Environment for sonar User

su - sonar

Add to ~/.bashrc:

echo 'export JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto' >> ~/.bashrc
echo 'export PATH=$JAVA_HOME/bin:$PATH' >> ~/.bashrc
source ~/.bashrc

10. Start SonarQube

cd /opt/sonarqube/bin/linux-x86-64/
sh sonar.sh start

5. Access SonarQube

  • Enable Port 9000 in Security Group

Open in a browser:

Default credentials:

  • Username: admin

  • Password: admin

1
Subscribe to my newsletter

Read articles from Kandlagunta Venkata Siva Niranjan Reddy directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Kandlagunta Venkata Siva Niranjan Reddy
Kandlagunta Venkata Siva Niranjan Reddy