Welcome back. In this brief demonstration, what we're going to do is configure SonarCloud in a pipeline. What we're first going to do is activate SonarCloud for our DevOps subscription here. On the screen here you can see I'm logged into my DevOps subscription. I have the Parts Unlimited project that was generated by the Azure DevOps Demo Generator here, and this is the project we're going to work with.

So what we need to do first here is to set up the SonarCloud extension for our subscription. And to do that from that screen, we click the marketplace icon here and we browse the marketplace. Now from the extensions search bar here, we're simply going to search for SonarCloud. And we can see we have a couple of different options.

We have the SonarCloud extension here, we have the Quality Gate and we have the build breaker along with an SP Tool that allows SonarCloud to run for .Net Core projects on prem actually. What we're going to do here is install the SonarCloud extension. So we'll select our SonarCloud and then we'll click Get it Free. And then from here, we're going to select our DevOps organization and in this example, I only have the single DevOps organization called DevOps9878 and we'll go ahead and install it. And once it's installed, we can proceed back to the organization.

Once we're back in our organization here, we'll select our Parts Unlimited project here. Now from our Parts Unlimited project here, what we're going to do is create a new pipeline. So let's go ahead and select pipelines here and we can see we already have a recently run pipeline which we are not going to use.

What we'll do here is click new pipeline and then what I'm going to do here is show you how you can use the classic editor to create a pipeline without YAML. There's a way to do that as well. And to do that, we simply select the Use The Classic Editor here, and from here, we're going to leave the source as our Azure Repos Git and we have our Parts Unlimited team project, our PartsUnlimited repository, and of course the Master default branch, we'll go ahead and continue here.

Now, what we can do here is select our template. We can either search for the template, or if we scroll down here we can see the.NET templates that were added by SonarCloud. For this example, we'll use the.NET Desktop with SonarCloud.

Now, what we can see here is that we have some settings that need attention. We need to configure the Agent pool. Now what we're going to do for this demonstration is select Azure hosted. And then what we'll do here for the agent specification is we'll select the vs2017 for this example, and then what we'll do here is we'll prepare analysis on SonarCloud.

Now on this screen, we can see we have to configure some information. We need to configure a service endpoint so that this build can connect to SonarCloud to perform the analysis. We need to specify our organization and a project key.

Now, if I select the drop down here for my service endpoint, I can say I don't have any service endpoints created right now.

Now to create this service endpoint, I can either go through the manage link here and create a service connection for SonarCloud, which takes me to my new SonarCloud service connection window. Or if I close this out and click New, it takes me right to the window.

In either case, I need to provide a SonarCloud token. Now to get that I need to set this up in my SonarCloud account. So we'll close this out and we'll open up sonarcloud.io. 

Now here I'm logged into my SonarCloud account. And if I go into my account here if I go into Security, I can generate a token. I'm just going to call this My Token, and we'll generate it. And we can see that my token has been created and we'll copy this.

We go back out to Parts Unlimited, we can go ahead and create our end point, provide our token here, we verify it, we can see our verification has succeeded, and we're just going to call this MyConnection. At this point, we'll verify and save it, and we now have our end point connection created.

Now in the organization drop down here, I can select my TestOrg9878 Now this TestOrg9878 comes from my account in SonarCloud where I have a TestOrg9878 organization defined. Now this Project Key needs to be globally unique so we'll create a Project Key for this project.

So with my Project Key configured here, we have all of the required information completed and we can go ahead and save and queue. We can leave everything here at its default and we'll go ahead and run it.

Welcome back. So now that our analysis has completed, let's go ahead and take a look at what the output is. On the screen here I'm in my pipeline screen for my Parts Unlimited project. We can see the recently run pipeline for Parts Unlimited. This is the.NET Desktop with SonarCloud.

We can go ahead and select our run, from here we can select the description for our run. We see the warnings that were generated as part of our run. Now from here, what we can do is click on Tests and we can see that we had 16 total tests. We can see that we had 14 passed and two other state. And then if we click on extensions here, we can see that we have a detailed SonarCloud report available.

So we'll go ahead and click on our report. This takes us out to SonarCloud where we can see a full report that is returned for our analysis. We can see we had 89 total bugs for vulnerabilities, we had some security hotspots or lots of security hotspots, I should say. And we can see our coverage report here's what I'm really interested in for this.

If we hover over the icon here, we can see that this represents the percentage of lines of code covered by our tests. A 0.3% code coverage is probably not what we're after. Now, we're not after perfection here because I just wanted to show you how to work through the process of using SonarCloud with your pipeline.

If we select our vulnerabilities here, we can see that we should be refactoring code to not perform redirects, we should be refactoring code to not reflect user controlled data and we should be making some other changes here. We go back out to Overview, we can go ahead and select our bugs and we can see there are all kinds of bugs in our code. So that is how you integrate SonarCloud into your build pipeline.

Lectures

Course Introduction - Code Quality Defined - Monitoring Code Quality - Reporting on Code Coverage - The OWASP Top Ten - Security Analysis Tools - Course Summary