Integrate SonarCloud with VSTS to boost code quality

by fabrice bellingard|

If you want your development team to have a good code quality practice in place, tell them to adopt the "Fix the leak" approach: fix issues in their IDE before they exist, review the remaining ones before merging your code, and apply a quality gate in their build processes to ship only good quality software to production. SonarSource has been developing products to apply this approach efficiently, and we are really happy that by now, teams using Visual Studio Team Services and SonarCloud are fully covered at every stage of the development process.

Pull request analysis: the missing piece

If your team is using VSTS, you might already be using:

  • SonarLint for Visual Studio to fix issues as you type, and therefore prevent most quality flaws from being pushed to the team repository
  • SonarCloud and its VSTS extension to analyse the whole code base every time the repository is updated, making sure that new code is under control thanks to the quality gate

If you are working with feature branches and pull requests, SonarCloud can now analyse the code of the new feature, annotate your pull request with comments to highlight issues that were found, and set a global status on that pull request to potentially prevent any merge into the main development branch.

With this feature, you now have quality feedback loops at every stage of the development process: the shortest and quickest feedback loop in the IDE, the intermediate one in the VSTS pull requests, and the most comprehensive one in SonarCloud.

It's worth mentioning that pull request analysis is supported for any type of project: .NET solutions, Maven or Gradle based Java projects, or any kind of repository containing code known by SonarCloud (17 languages supported as of today!).

Activating PR analysis in VSTS

Let's assume that you have already configured a build definition to analyze your code on SonarCloud. For a standard .NET solution, this should look something like:

Activating the analysis of pull requests is very simple:

  1. Create a VSTS token with "Code (read and write)" scope, and set it in the "Administration > General Settings > Pull Requests" page of your project in SonarCloud
  2. In the "Branch policies" page of your main development branches (e.g. "master"), add a build validation policy that runs the build definition:

Now, next time some code is pushed in the underlying branch of a pull request in your project, the build definition will execute a scan on the code and send the report to SonarCloud which will:

  • decorate the pull request with comments for each issue that was found
  • set a global status on the pull request to indicate whether it is safe to merge the code

You can click on the links available in the comments or on the status to go inside SonarCloud and dig further inside to better understand what's wrong and how to fix things.

Prevent merging issues

A common practice with pull request is to block the merge of the code based on some validations. Now that SonarCloud gives a status on the pull requests of your project, you can prevent developers to complete a PR if there are open issues in it.

This is as simple as adding a status policy on your main development branches:

Now, every time someone wants to merge a pull request which has a failed quality gate, VSTS will refuse to complete it: the developer will have to either fix the issues, or if they consider that an issue should be accepted as debt to fix later, they can simply "confirm" it in SonarCloud. The PR status will turn to green as soon as the quality gate is green. And no worries: if this is a critical issue, the quality gate on the main branch will catch it anyway during next analysis! If you've added SonarCloud widgets to your VSTS dashboard, you won't miss this:

Next steps?

Well, next step for you is to activate this on your projects and therefore make sure that you clean your sources as you code! If you feel that you need more details, the Microsoft Visual Studio DevOps site has a Hands-On-Lab that walks you through the setup step by step.

On our side, we are already thinking about a new killer feature: allowing you to add a SonarCloud Gate in your Release automated pipelines to make sure no red quality gate code will ever be shipped to production. Stay tuned!