Monitoring Code Quality


Course Introduction
Start course

This course explores how to manage code quality and security policies with Azure DevOps, and will help those preparing for Microsoft's AZ-400 exam.

It starts by examining the definition of code quality and how to write high-quality code. Next, we’ll look at what goes into code quality scanning and at how SonarCloud can help monitor code quality, and you'll see a hands-on demonstration that shows you how to use SonarCloud in the pipeline.

You'll learn what code coverage means and how to use the “Publish Code Coverage Results” task to report on code coverage. This course also covers security policies, including OWASP and its Top-10 list, as well as looking at a couple of popular security analysis tools.

If you have any feedback relating to this course, feel free to get in touch with us at Any URLs referenced during this course can be found in the relevant lecture transcripts.

Learning Objectives

  • Understand what high-quality code is and how to write quality code
  • Learn how to monitor code quality
  • Learn how to report on code coverage
  • Learn about the OWASP Top Ten
  • Understand how security analysis tools can be used in conjunction with Azure DevOps to check code for vulnerabilities
  • Learn how to configure SonarCloud in a pipeline

Intended Audience

This course is intended for those who are preparing for the AZ-400 exam, or anyone who wants to learn more about managing code quality and security policies with Azure DevOps.


To get the most from this course, you should have a basic understanding of Microsoft Azure and of DevOps concepts.


Hello, and welcome to Monitoring Code Quality.

Writing code can certainly be a chore. Quite often, developers are tasked with just getting code to work – often under tight deadlines. That being the case, code quality is often not really top of mind. That’s not good, because, in order to avoid technical debt, improved code quality and efficiency should always be one of the main goals in any DevOps project. Maintaining code quality requires that you ensure that your developers are writing quality code. Implementing code quality scanning, which is an automated system for providing code feedback, can be very useful for improving code quality.

Scanning your code quality like this is quite similar to grammar and spell-check in Microsoft Word. It allows you to improve the final product, because, code quality maintenance should be top of mind throughout a project's lifecycle. The reasoning is pretty straightforward. Issues with code quality will usually accumulate if left unchecked. This leads to snowballing technical debt, which, in turn, results in difficult and time-consuming software maintenance.

One of the best ways to mitigate this technical debt is to address code quality issues as early as possible in the development process.

Tools and techniques that you can leverage to improve code quality include things like enforcement of coding standards, proper training, regular and ongoing code reviews, and automated quality analysis.

That automated quality analysis piece is what we are concerned about here. Automated quality analysis tools, or static code analysis tools, are used to help maintain high code quality. Such tools are immensely helpful to developers because they can scan code and flag vulnerabilities. These tools include things like SonarCloud.

What these tools do is identify code quality issues and track trends over time. Using these tools allows developers to view the current code health of a project along with historic code health of the project.

Let’s discuss how SonarCloud can be used to help with code quality monitoring.

To ensure high-quality code, you can use SonarCloud to automatically analyze your code by reading it right from your repository. You don’t need to configure a CI-based analysis.

To make this happen, you need to import a project that’s compatible with Automatic Analysis. Once you’ve imported your projects, SonarCloud will analyze the default branch. A new analysis will be triggered automatically after every new push on the default branch and after any pull request activity.

I should point out, however, that Automatic Analysis, at the time of this course publication, is only available for GitHub repositories – and can only be activated on projects bound to a repository. 

To activate Automatic Analysis with SonarCloud for a new project, you need to import the project from GitHub. Once imported, SonarCloud automatically triggers a compatibility check to ensure that the project is compatible with Automatic Analysis. If it is, SonarCloud triggers an initial analysis. If it’s not compatible, SonarCloud will suggest other analysis methods. For example, it may recommend using a CI tool.

To use Automatic Analysis for an existing project, you would just browse to your project’s Analysis Method page in SonarCloud and turn Automatic Analysis on. Once the compatibility check finishes, SonarCloud will make recommendations for your specific project. 

Later on, in this course, I’ll show you how to use SonarCloud in a build pipeline.


Course Introduction - Code Quality Defined - Reporting on Code Coverage - The OWASP Top Ten - Security Analysis Tools - DEMO: Configuring SonarCloud in a Pipeline - Course Summary

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.