1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Managing Code Quality and Security Policies with Azure DevOps

DEMO: Configuring SonarCloud in a Pipeline


Course Introduction

The course is part of this learning path

AZ-400 Exam Prep: Microsoft Azure DevOps Solutions
Start course


This course explores how to manage code quality and security policies with Azure DevOps, and will help those preparing for Microsoft's AZ-400 exam.

It starts by examining the definition of code quality and how to write high-quality code. Next, we’ll look at what goes into code quality scanning and at how SonarCloud can help monitor code quality, and you'll see a hands-on demonstration that shows you how to use SonarCloud in the pipeline.

You'll learn what code coverage means and how to use the “Publish Code Coverage Results” task to report on code coverage. This course also covers security policies, including OWASP and its Top-10 list, as well as looking at a couple of popular security analysis tools.

If you have any feedback relating to this course, feel free to get in touch with us at support@cloudacademy.com. Any URLs referenced during this course can be found in the relevant lecture transcripts.

Learning Objectives

  • Understand what high-quality code is and how to write quality code
  • Learn how to monitor code quality
  • Learn how to report on code coverage
  • Learn about the OWASP Top Ten
  • Understand how security analysis tools can be used in conjunction with Azure DevOps to check code for vulnerabilities
  • Learn how to configure SonarCloud in a pipeline

Intended Audience

This course is intended for those who are preparing for the AZ-400 exam, or anyone who wants to learn more about managing code quality and security policies with Azure DevOps.


To get the most from this course, you should have a basic understanding of Microsoft Azure and of DevOps concepts.


Welcome back. In this brief demonstration, what we're going to do is configure SonarCloud in a pipeline. What we're first going to do is activate SonarCloud for our DevOps subscription here. On the screen here you can see I'm logged into my DevOps subscription. I have the Parts Unlimited project that was generated by the Azure DevOps Demo Generator here, and this is the project we're going to work with.

So what we need to do first here is to set up the SonarCloud extension for our subscription. And to do that from that screen, we click the marketplace icon here and we browse the marketplace. Now from the extensions search bar here, we're simply going to search for SonarCloud. And we can see we have a couple of different options.

We have the SonarCloud extension here, we have the Quality Gate and we have the build breaker along with an SP Tool that allows SonarCloud to run for .Net Core projects on prem actually. What we're going to do here is install the SonarCloud extension. So we'll select our SonarCloud and then we'll click Get it Free. And then from here, we're going to select our DevOps organization and in this example, I only have the single DevOps organization called DevOps9878 and we'll go ahead and install it. And once it's installed, we can proceed back to the organization.

Once we're back in our organization here, we'll select our Parts Unlimited project here. Now from our Parts Unlimited project here, what we're going to do is create a new pipeline. So let's go ahead and select pipelines here and we can see we already have a recently run pipeline which we are not going to use.

What we'll do here is click new pipeline and then what I'm going to do here is show you how you can use the classic editor to create a pipeline without YAML. There's a way to do that as well. And to do that, we simply select the Use The Classic Editor here, and from here, we're going to leave the source as our Azure Repos Git and we have our Parts Unlimited team project, our PartsUnlimited repository, and of course the Master default branch, we'll go ahead and continue here.

Now, what we can do here is select our template. We can either search for the template, or if we scroll down here we can see the.NET templates that were added by SonarCloud. For this example, we'll use the.NET Desktop with SonarCloud.

Now, what we can see here is that we have some settings that need attention. We need to configure the Agent pool. Now what we're going to do for this demonstration is select Azure hosted. And then what we'll do here for the agent specification is we'll select the vs2017 for this example, and then what we'll do here is we'll prepare analysis on SonarCloud.

Now on this screen, we can see we have to configure some information. We need to configure a service endpoint so that this build can connect to SonarCloud to perform the analysis. We need to specify our organization and a project key.

Now, if I select the drop down here for my service endpoint, I can say I don't have any service endpoints created right now.

Now to create this service endpoint, I can either go through the manage link here and create a service connection for SonarCloud, which takes me to my new SonarCloud service connection window. Or if I close this out and click New, it takes me right to the window.

In either case, I need to provide a SonarCloud token. Now to get that I need to set this up in my SonarCloud account. So we'll close this out and we'll open up sonarcloud.io. 

Now here I'm logged into my SonarCloud account. And if I go into my account here if I go into Security, I can generate a token. I'm just going to call this My Token, and we'll generate it. And we can see that my token has been created and we'll copy this.

We go back out to Parts Unlimited, we can go ahead and create our end point, provide our token here, we verify it, we can see our verification has succeeded, and we're just going to call this MyConnection. At this point, we'll verify and save it, and we now have our end point connection created.

Now in the organization drop down here, I can select my TestOrg9878 Now this TestOrg9878 comes from my account in SonarCloud where I have a TestOrg9878 organization defined. Now this Project Key needs to be globally unique so we'll create a Project Key for this project.

So with my Project Key configured here, we have all of the required information completed and we can go ahead and save and queue. We can leave everything here at its default and we'll go ahead and run it.

Welcome back. So now that our analysis has completed, let's go ahead and take a look at what the output is. On the screen here I'm in my pipeline screen for my Parts Unlimited project. We can see the recently run pipeline for Parts Unlimited. This is the.NET Desktop with SonarCloud.

We can go ahead and select our run, from here we can select the description for our run. We see the warnings that were generated as part of our run. Now from here, what we can do is click on Tests and we can see that we had 16 total tests. We can see that we had 14 passed and two other state. And then if we click on extensions here, we can see that we have a detailed SonarCloud report available.

So we'll go ahead and click on our report. This takes us out to SonarCloud where we can see a full report that is returned for our analysis. We can see we had 89 total bugs for vulnerabilities, we had some security hotspots or lots of security hotspots, I should say. And we can see our coverage report here's what I'm really interested in for this.

If we hover over the icon here, we can see that this represents the percentage of lines of code covered by our tests. A 0.3% code coverage is probably not what we're after. Now, we're not after perfection here because I just wanted to show you how to work through the process of using SonarCloud with your pipeline.

If we select our vulnerabilities here, we can see that we should be refactoring code to not perform redirects, we should be refactoring code to not reflect user controlled data and we should be making some other changes here. We go back out to Overview, we can go ahead and select our bugs and we can see there are all kinds of bugs in our code. So that is how you integrate SonarCloud into your build pipeline.


Course Introduction - Code Quality Defined - Monitoring Code Quality - Reporting on Code Coverage - The OWASP Top Ten - Security Analysis Tools - Course Summary

About the Author
Learning paths8

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.