Five SonarCloud features for developers that want Clean Code

by thomas olivier|

Five SonarCloud for developers that want Clean Code

Whether you’re working on a new project or an existing one, you might think of Clean Code as an ideal, somewhere far out of reach. How would I even begin? Is it a new practice to adopt? Is it a tool to use? Does it relate to a level of experience with a programming language that I need to meet? Well, it might be all of those things. But getting the code to a place where you can call it clean might not be the painful journey you expect. Let’s go over 5 key features that make SonarCloud the perfect tool for developers and development teams to deliver Clean Code consistently and efficiently, without disrupting the existing development workflow.

1. Pull request decoration

To win at Clean Code, you want to find issues early in the workflow. Upon opening a pull request, SonarCloud will quickly present you with a report (we call 'decoration'), as illustrated below. This is the case whether you’re working with GitHub, GitLab, Bitbucket Cloud, or Azure DevOps Services. SonarCloud seamlessly integrates with each of these 4 platforms.

SonarCloud pull request decoration

This PR decoration enables you to assess the quality of your new code before making the decision to merge it into the main branch. As of today, there are five key Clean Code attributes that are raised in the PR decoration (and in every analysis we run): reliability, security (incl. security hotspots), maintainability, code coverage, and code duplications. For each of these, you get a rating from ‘A’ to ‘E’, supplementary to the number of issues. You can then visually assess where your code stands in each domain. The last thing raised in the PR decoration is the status of the Quality Gate, which I’m going to tell you more about in the 3rd section of this blog.

There are several benefits for developers linked to the pull request decoration:

  • It is available in the DevOps platform where you manage your code, without having to switch contexts.
  • It arrives quickly after you opened the pull request, and enables you to fix code issues early in your workflow.
  • It provides the right pointers for you to investigate issues from SonarCloud’s interface and get remediation guidance.
  • It helps you make the decision of whether or not the pull request can be accepted and the code merged to the main branch.

In the end, pull request decorations are the best way to get early, comprehensive feedback so you can make informed decisions about your code.

2. Clear remediation guidance

SonarCloud helps you detect issues in your pull requests (and development branches) and also helps with remediation. Any time you receive the pull request decoration with a failed quality gate, you will be invited to come to SonarCloud to investigate the issue list. From there, you can assign an issue to a member of the organization if it’s his/her code.

SonarCloud issue list

Once you pick an issue to fix, you will receive guidance in several places:

  • In the code, showing the issue highlighted in context.
  • In the dataflow (for taint vulnerabilities), where all the steps through which the issue is built in the code are listed.
  • In the rule description, which explains why this is an issue, and includes examples of non-compliant and compliant solutions, as well as an explanation of how to fix the issue. 

With SonarCloud’s guidance, you will be able to understand and fix issues in no time, while the code is still fresh in mind. Commit after commit, you will learn new coding rules and elevate your game. You’re winning today by ensuring your new code is clean, but you’re also placing yourself in a better position to deal with tomorrow’s challenges.

3. Go/No-Go Quality gate

The quality gate is the cornerstone of a winning strategy at CleanCcode. It will help you reply to the question: ‘Is my code ready to be merged?’. It couldn’t be more straightforward:

  • It’s passed (green), you can merge
  • It’s failed (red), you shouldn’t merge

Never promote code with a failed quality gate! Or accept to be doomed for eternity… *dark_laugh*.

SonarCloud failed quality gate

The quality gate computation is based on Clean Code attributes. Unless your code meets the defined requirements (e.g. reliability rating cannot be less than ‘A’), the quality gate will fail. A Sonar way quality gate is available by default. This will help you get started quickly with SonarCloud. Once you’re familiar with the concept of Clean Code, you can then customize the quality gate and adjust it to your needs by adding more conditions.

The quality gate is available in the pull requests directly so you know when there is something to fix before you can merge. When it’s green, you can merge with confidence, knowing that the code delivered is clean.

4. Clean as You Code methodology

Unless you start using SonarCloud at the beginning of a project, it’s very likely that the results of the first project analysis will be overwhelming, with hundreds of issues. Then comes the question of where to start. This is where the Clean as You Code methodology will help you.

First, leave the past behind. Digging into old code for no other reason than fixing technical debt brings the risk of functional regression. It would also require a major investment in time and would take you away from what you like - or have - to do. Instead, using the Clean as You Code methodology, you will focus on where you will have the most impact, the code you own and deliver today.

Why is today’s code the best opportunity to impact the quality of the code base? Because, in the process of developing new features, you will inevitably touch existing code to make changes. This updated code will go through the quality gate. Since we’ve agreed you’re only going to merge code with a green quality gate, commit after commit, you will progressively remediate old code. No need to allocate dedicated time, it’s happening as part of your workflow. I told you it wasn’t going to be the painful journey you originally thought of.

5. IDE integration with SonarLint

SonarLint helps you shift left even further, by catching issues on-the-fly and providing real-time feedback as you’re writing code in your IDE. A free plug-in, it's compatible with all major IDEs ( IntelliJ, Visual Studio, VS Code, and Eclipse).

Once connected to SonarCloud, SonarLint imports the language configuration to the IDE, aligning your team on a single standard of Clean Code. SonarLint will bring taint analysis results from SonarCloud so you can investigate issues early in your IDE. You will receive notifications on the Quality Gate status or when a new issue is assigned to you.

With SonarCloud and SonarLint, you will get the full power of the Sonar solution and bring consistency throughout your entire development workflow.

The recipe for Clean Code success!

You now have a better idea of what SonarCloud offers. With these features, you will be ready to succeed in cleaning your code. Not only will you deliver with confidence, but you will also learn along the way.

Ready to give it a try? Getting started with SonarCloud couldn’t be easier! Free for open-source projects, you have a 14-day free trial period to try it with private repositories. Simply sign-up with your DevOps platform account in 1 click, import the first project to analyze, and wait for the automatic analysis to end (available for most languages). From there, all pull requests will be decorated. To clean your code, make every pull request count!

If you have any questions, or if you encounter a problem, please go to our Community Forum. We’ll be happy to help you get up and running.

--

Pick a topic to discover more