In this lab, we will demonstrate how SonarCloud can be integrated with AWS CodePipeline using AWS CodeBuild. SonarCloud is a code analysis as a service provided by SonarQube. This tool provides a defined process to enforce code control on three levels—syntax, code standards, and structure—before the code reaches the testing stage can address these challenges and help the developer release high-quality code every time.
In order to do this lab you need GitHub account to login to SonarCloud.
- Sign in to GitHub through the SonarCloud site using your GitHub credentials, as shown in the following screenshot.
- Choose Create a new project in the SonarCloud portal, as shown in the following screenshot.
- Choose Choose an organization in GitHub, as shown in the following screenshot.
- Choose Install after selecting the required repositories, as shown in the following screenshot.
- Your GitHub repository is now synchronized with SonarCloud. Bind the GitHub branch and choose Create Organization, as shown in the following screenshot.
- To generate a token, to go User > My Account > Security. Your existing tokens are listed here, each with a Revoke button. Enter a new Token name and Click Generate. Store it for the succeeding steps.
-
Select Analyze new project.
-
Select Set up manually. Add a new Project key and click Set up.
Note: We will use the Project key, Organization and token in the next step to configure CodeBuild.
We will use AWS Secret Manager to store the sonar login credentials. By using Secrets Manager we can provide controlled access to the credentials from CodeBuild.
-
Visit AWS Secret Manager console to setup the sonar login credentials.
-
Select Store a new secret. And choose Other types of secret
-
Enter secret keys and values as shown below. Enter the values based on your Organization, project and token.
-
Enter the secret name. In this case, we will use “test/sonar” and save with default settings.
- Let us create CodeBuild project from CLI to review the code using SonarCloud. To create the build project using AWS CLI, we need JSON-formatted input. Create a json file named 'create-sonar-project.json' under 'MyDevEnvironment'.Copy the content below to create-project.json. (Replace the placeholders marked with <<>> with values for BuildRole ARN and region from the previous step.)
{
"name": "sonar-review-project",
"source": {
"type": "CODECOMMIT",
"location": "https://git-codecommit.<<REPLACE-YOUR-REGION-ID>>.amazonaws.com/v1/repos/WebAppRepo",
"buildspec": "buildspec_sonar.yml"
},
"artifacts": {
"type": "NO_ARTIFACTS"
},
"environment": {
"type": "LINUX_CONTAINER",
"image": "aws/codebuild/standard:3.0",
"computeType": "BUILD_GENERAL1_SMALL"
},
"serviceRole": "<<REPLACE-YOUR-BuildRole-ARN>>"
}- Switch to the directory that contains the file you just saved, and run the create-sonar-project command:
user:~/environment $ aws codebuild create-project --cli-input-json file://create-sonar-project.jsonIn this step, you will add a new stages to your pipeline to review the code using SonarCloud before building the code.
-
Edit the pipeline. Choose the option to add a stage after the Source stage with the AWS CodeBuild action. Type a name for the stage (for example, CodeReview).
-
Choose + Add action group,
- Type a name for your action (for example, CodeAnalysis).
- For Action Provider, choose AWS CodeBuild.
- In Input artifacts: select the Source Artifact
- In Project name, and Select an sonar-review-project
- In Output artifacts: Type ReviewedArtifact
- Choose Done.
- Save changes to pipeline by clicking Save button on top of the page.
- Create a file namely, buildspec_sonar.yml under WebAppRepo folder. Copy the content below to the file and save it.
version: 0.2
env:
secrets-manager:
LOGIN: test/sonar:sonartoken
HOST: test/sonar:HOST
Organization: test/sonar:Organization
Project: test/sonar:Project
phases:
install:
runtime-versions:
java: openjdk8
pre_build:
commands:
- apt-get update
- apt-get install -y jq
- wget http://www-eu.apache.org/dist/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz
- tar xzf apache-maven-3.5.4-bin.tar.gz
- ln -s apache-maven-3.5.4 maven
- wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.3.0.1492-linux.zip
- unzip ./sonar-scanner-cli-3.3.0.1492-linux.zip
- export PATH=$PATH:/sonar-scanner-3.3.0.1492-linux/bin/
build:
commands:
- mvn test
- mvn sonar:sonar -Dsonar.login=$LOGIN -Dsonar.host.url=$HOST -Dsonar.projectKey=$Project -Dsonar.organization=$Organization
- sleep 5
- curl https://sonarcloud.io/api/qualitygates/project_status?projectKey=$Project >result.json
- cat result.json
- if [ $(jq -r '.projectStatus.status' result.json) = ERROR ] ; then $CODEBUILD_BUILD_SUCCEEDING -eq 0 ;fi
Note: Check the secret manager setting in the buildspec to match with the secrets value you have created.
- Commit & push the build specification files to repository
user:~/environment/WebAppRepo/ $ git add *
user:~/environment/WebAppRepo/ $ git commit -m "adding buildspec_sonar.yml"
user:~/environment/WebAppRepo/ $ git push -u origin masterCheck the pipeline for detecting the commit changes and executing the steps.
- The Code Review status of the project can be also be verified in the SonarCloud dashboard, as shown in the following screenshot.
Note: Quality Gate is a feature in SonarCloud that can be configured to ensure coding standards are met and regulated across projects. You can set threshold measures on your projects like code coverage, technical debt measure, number of blocker/critical issues, security rating/unit test pass rate, and more. The last step calls the Quality Gate API to check if the code is satisfying all the conditions set in Quality Gate. Refer to the Quality Gate documentation for more information.
Quality Gate can return four possible responses:
- **ERROR:** The project fails the Quality Gate.
- **WARN:** The project has some irregularities but is ok to be passed on to production.
- **OK:** The project successfully passes the Quality Gate.
- **None:** The Quality Gate is not attached to project.
AWS CodeBuild provides several environment variables that you can use in your build commands. CODEBUILD_BUILD_SUCCEEDING is a variable used to indicate whether the current build is succeeding. Setting the value to 0 indicates the build status as failure and 1 indicates the build as success.
Using the Quality Gate ERROR response, set the CODEBUILD_BUILD_SUCCEEDING variable to failure. Accordingly, the CodeBuild status can be used to provide response for the pipeline to proceed or to stop.
This concludes Lab 6. In this blog, we demonstrated how to integrate SonarCloud with CodePipeline using CodeBuild. With this solution, you can automate static code analysis every time you have a check-in in your source code tool.