Create a Jenkins CICD Pipeline with SonarQube Integration to perform Static Code Analysis

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Connecting to the Amazon Virtual Machine Using EC2 Instance Connect
lock
Launch Jenkins and SonarQube Docker Containers
lock
Login to SonarQube and Generate Security Token
lock
Log in to Jenkins and Complete the Default Installation
lock
Install and Configure SonarQube and Gradle Plugins
lock
Create and Execute Jenkins Pipeline Gradle Job
lock
Review SonarQube Static Analysis Report

Ready for the real environment experience?

DifficultyIntermediate
Time Limit3h
Students1181
Ratings
4.5/5
starstarstarstarstar-half

Description

Integrating Jenkins with SonarQube provides you with an automated platform for performing continuous inspection of code for quality and security assurance.

In this lab, you will launch a Jenkins and SonarQube CICD environment using Docker containers on a provided EC2 instance. You will then configure a Jenkins build pipeline to build, compile, and package a sample Java servlet web application. The build pipeline will publish the source code into SonarQube, which in turn will perform a static analysis of the code to detect bugs, code smells, and security vulnerabilities.

This lab is aimed at DevOps and CICD practitioners, and, in particular, build and release engineers interested in managing and configuring Jenkins together with SonarQube to perform automated static code analysis.

Lab Objectives

Upon completion of this lab, you will be able to:

  • Install and configure a Jenkins and SonarQube CICD environment using Docker containers
  • Configure Jenkins with the Gradle plugin to perform the core build and packaging for a sample Java servlet web application
  • Configure Jenkins with the SonarQube Scanner plugin for automated static code analysis
  • Create and set up a Jenkins build pipeline using a Jenkinsfile stored within a GitHub repo
  • Use the SonarQube web application to examine and review the generated static analysis report

Lab Prerequisites

You should:

  • Be comfortable with SSH to remotely administer a Linux-based server
  • Be comfortable with basic Linux administration

Lab Environment

This lab will start with the following AWS resources being provisioned automatically for you:

  • A single EC2 instance, named cicd.platform.instance, which will have a public IP address attached

To achieve the Lab end state, you will be walked through the process of:

  • SSHing into the EC2 instance, named cicd.platform.instance
    • Use Docker Compose to launch the following Docker containers:
      • Jenkins
      • SonarQube
      • Postgres
      • Socat
  • Using a browser, administer and configure Jenkins - installing the required plugins. Connectivity to Jenkins will be done via the cicd.platform.instance Public IP address 
  • Using a browser, administer and configure SonarQube. Connectivity to SonarQube will be done via the cicd.platform.instance Public IP address 
  • Create a Jenkins build pipeline and configure it to build a sample Java servlet web application hosted on GitHub, with the source code later being forwarded into SonarQube for static code analysis
  • Execute the Jenkins build pipeline and confirm that it has completed successfully, forwarding the source code over to SonarQube for static code analysis
  • Confirm that SonarQube has received and performed static code analysis and generated a project report

 

Updates

November 28th, 2022 - Updated lab to use EC2 Instance Connect and added check

January 12th, 2022 - Updated the instructions and screenshots to reflect the latest Jenkins UI 

About the Author
Students114224
Labs65
Courses113
Learning paths152

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, GCP, Azure), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).