Azure DevOps and SonarCloud, better together — Block Pull Requests for every code violation!

Pieter Gheysens
Dec 16, 2018 · 4 min read

It’s quite remarkable how many customers have been looking for cloud solutions in 2018 instead of continuing to rely on (outdated) on-prem solutions. I have done lots of migrations towards Azure DevOps from different versions of TFS. This trend will only increase in the coming months/years because it offers so many new and easy integration opportunities with the latest set of features being pushed continuously by the different SaaS players on the market. Interested in a custom migration plan towards Azure DevOps, please contact me to help you with this project.

Azure DevOps is a cloud service from Microsoft for collaborating on code development. It provides an integrated set of features for all different stakeholders in the software development process. It’s the cloud version of the on-prem solution Team Foundation Server (TFS) which has been known for Microsoft’s Application Lifecycle Management (ALM) solution.

SonarCloud is a cloud service from SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities for multiple different programming languages. SonarQube is the on-prem solution.

With this post I want to show how easy it can be to link cloud solutions without having to worry about complex prerequisites for your local infrastructure. It just automagically works!

Inside my Azure DevOps Team Project I added a new Git repo with a simple class library.

For the master branch I added a branch policy with build validation enabled so that code changes can only be merged via a Pull Request to the master branch after a successful build was run with the latest code changes in the Pull Request and the sources of the master branch. The build which is coupled to the branch policy also executes a SonarCloud scan in the build process. The build uses the SonarCloud extension for Azure Pipelines.

The connection between Azure DevOps and SonarCloud has been configured via a Service Endpoint which requires a SonarCloud token for authentication.

Both Azure DevOps and SonarCloud offer a free account where you can use basic features without any cost.

The build pipeline in Azure DevOps which has been configured above typically runs for every code push in the master branch and will upload the SonarCloud code violations to the (public) project in SonarCloud.

The Pull Request mechanism in Azure DevOps allows to scan only the code changes of the feature/bugfix branch with the latest SonarCloud scan analysis of the master project. The scan performed in every PR build is an incremental scan and will not upload the results to the master branch, but will result in an additional branch due to the Branch Analysis feature of SonarCloud.

When SonarCloud also has been correctly configured to integrate with Azure DevOps, the additional benefit will be that code violations on the code changes in the feature/bugfix branch will be injected into the Azure DevOps Pull Request. This integration offers the capability to block the Pull Request when specific code violations have been detected via SonarCloud and must be fixed before allowing a merge towards the master branch.

The Pull Request now clearly shows the violations which were discovered by SonarCloud and provides the link to the SonarCloud project and the infected branch.

It’s up to the team now how to deal with the different code violations to unblock the Pull Request and to complete the final merge back to the master branch.

This simple scenario shows you the automatic workflow which can be used between Azure DevOps and SonarCloud to focus on code quality at an early stage in the development process before merging new features into a stable master branch. Pull Requests are a perfect match for this type of code analysis.

At Xpirit, we are closely working together with our customers to provide guidance and assistance for cloud migrations and transformations. It’s our job to use our expertise to help you maximize the benefit of your business applications. It’s not about staffing your projects, it’s about taking the best decisions at the right time and helping you with your future technology roadmap. We are your trusted advisor. Interested in what we can deliver, contact me.

Into ALM

Blogging About Application Lifecycle Management with…