{"id":43495,"date":"2018-05-10T15:58:47","date_gmt":"2018-05-10T15:58:47","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/devops\/?p=43495"},"modified":"2019-02-14T15:50:01","modified_gmt":"2019-02-14T23:50:01","slug":"shift-left-with-sonarcloud-pull-request-integration","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/shift-left-with-sonarcloud-pull-request-integration\/","title":{"rendered":"Shift Left with SonarCloud Pull Request Integration"},"content":{"rendered":"<p>One of our DevOps &#8220;habits&#8221; is to Shift Left and move quality upstream.\u00a0 Including additional validations earlier in the DevOps pipeline means identifying potential issues before they become a problem.\u00a0 For teams using pull requests, catching issues while the PR is active is ideal &#8211; the code hasn&#8217;t been merged yet, so it&#8217;s easy to respond to feedback.\u00a0 The <a href=\"https:\/\/blog.sonarsource.com\/integrate-sonarcloud-with-vsts-to-boost-code-quality\">latest SonarCloud extension<\/a> for <a href=\"https:\/\/visualstudio.com\/team-services\">Visual Studio Team Services (VSTS)<\/a> is a great tool to help identify issues during the PR &#8211; let&#8217;s take a look at how it works.<\/p>\n<p>To try out the integration, I&#8217;ve done the following:<\/p>\n<ul>\n<li>Created a VSTS Git repo with a sample project, called DeepSpace<\/li>\n<li>Installed the <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=SonarSource.sonarcloud\">SonarCloud extension<\/a> in my VSTS account<\/li>\n<li>Configured a <a href=\"https:\/\/docs.sonarqube.org\/display\/SCAN\/Analyzing+with+SonarQube+Extension+for+VSTS-TFS\">CI build to integrate with SonarCloud<\/a><\/li>\n<\/ul>\n<p>All of this allows SonarCloud to scan my code during the CI builds, and produce reports about the state of my code.\u00a0 For example, I can see an issue about an empty method in my code:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/empty-method-code-smell-1024x200.png\" alt=\"Empty method code smell from SonarCloud\" width=\"840\" height=\"164\" class=\"alignnone wp-image-43505 size-large\" \/><\/p>\n<p>I can even use SonarCloud to drill in to look at the code that&#8217;s causing the problem:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/sonarcloud-code-view-1024x156.png\" alt=\"Code view in SonarCloud with inline warning\" width=\"840\" height=\"128\" class=\"alignnone size-large wp-image-43515\" \/><\/p>\n<p>This is great, but to Shift Left, I want to get that analysis on new changes submitted in pull requests.\u00a0 That way, problems can be addressed before merging code into the mainline.\u00a0 To do that, I followed the steps to <a href=\"http:\/\/aka.ms\/sonarcloudlab\">set up pull request integration with SonarCloud<\/a>, which involved setting up a new <a href=\"https:\/\/docs.microsoft.com\/en-us\/vsts\/git\/branch-policies?view=vsts#build-validation\">PR build policy<\/a> for my master branch.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/build-policy-master-branch-1024x272.png\" alt=\"Build policy configuration for master branch\" width=\"840\" height=\"223\" class=\"alignnone size-large wp-image-43525\" \/><\/p>\n<p>With the policy set up, any new PR will trigger the CI build, which is configured to run the SonarCloud analysis.\u00a0 After creating the PR, you can see the build running under Required section in the Policies list.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/pr-build-in-progress-1024x464.png\" alt=\"Pull request build policy in progress\" width=\"840\" height=\"381\" class=\"alignnone size-large wp-image-43535\" \/><\/p>\n<p>When the build runs to completion, I can see that my changes didn&#8217;t break the build, but there&#8217;s a Code Quality check that failed.\u00a0 The best part is that I can see exactly what the issues are that caused this failure without leaving the PR view.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/code-quality-check-failed-1024x790.png\" alt=\"Pull request with code quality check that failed\" width=\"840\" height=\"648\" class=\"alignnone size-large wp-image-43545\" \/><\/p>\n<p>See the code comment in ImageService.java?\u00a0 SonarCloud found that Code Smell and automatically left a comment in the review.\u00a0 I don\u2019t need to drill into the build results or the SonarCloud analysis report to find the problem code &#8211; it&#8217;s plain for me to see right in the PR.\u00a0 And even better, other code reviewers can see and comment on the issue, in case I need some help on the best way to fix the issue.<\/p>\n<p>(Note, I currently have the integration configured to run under my credentials, hence, I&#8217;m listed as the comment author, but SonarCloud did the hard work.)<\/p>\n<p>If I want to go even further, I can set up a policy to require that the Code Quality check must succeed for all pull requests.\u00a0 I can do that by <a href=\"https:\/\/docs.microsoft.com\/en-us\/vsts\/git\/how-to\/pr-status-policy?view=vsts\">creating a new status policy<\/a> for the master branch.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/add-status-policy.png\" alt=\"Add status policy\" width=\"536\" height=\"130\" class=\"alignnone size-full wp-image-43555\" \/><\/p>\n<p>Simply pick the SonarCloud quality gate from the list, and click Save.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/sonarcloud-quality-gate.png\" alt=\"SonarCloud quality gate policy configuration.\" width=\"608\" height=\"290\" class=\"alignnone size-full wp-image-43565\" \/><\/p>\n<p>Now, if there are a failures, the PR will be blocked from merging until all of the issues are fixed or marked as confirmed or resolved in SonarCloud.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2018\/05\/sonarcloud-blocking-merge-1024x325.png\" alt=\"SonarCloud failing quality check blocks pull request merge\" width=\"840\" height=\"267\" class=\"alignnone size-large wp-image-43575\" \/><\/p>\n<p>With this policy in place, I now have the confidence that my code is going to meet a higher quality standard <em>before<\/em> it reaches the master branch.\u00a0 Having this integration as part of my pull request is a natural extension of the PR workflow &#8211; I can review the SonarCloud comments like I would any other reviewer&#8217;s comments, and work through them one by one to resolve all of the issues before my code is merged.\u00a0\u00a0This is the heart of what it means to Shift Left.<\/p>\n<p>If you want to try out the SonarCloud extension, check out the hands on lab to\u00a0<a href=\"http:\/\/aka.ms\/sonarcloudlab\">Integrate Visual Studio Team Services with SonarCloud<\/a>.<\/p>\n<p>Happy coding!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of our DevOps &#8220;habits&#8221; is to Shift Left and move quality upstream.\u00a0 Including additional validations earlier in the DevOps pipeline means identifying potential issues before they become a problem.\u00a0 For teams using pull requests, catching issues while the PR is active is ideal &#8211; the code hasn&#8217;t been merged yet, so it&#8217;s easy to [&hellip;]<\/p>\n","protected":false},"author":198,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[226,1,225],"tags":[],"class_list":["post-43495","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ci","category-devops","category-git"],"acf":[],"blog_post_summary":"<p>One of our DevOps &#8220;habits&#8221; is to Shift Left and move quality upstream.\u00a0 Including additional validations earlier in the DevOps pipeline means identifying potential issues before they become a problem.\u00a0 For teams using pull requests, catching issues while the PR is active is ideal &#8211; the code hasn&#8217;t been merged yet, so it&#8217;s easy to [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/43495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/198"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=43495"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/43495\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=43495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=43495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=43495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}