Monitoring code quality & security in Cortex with SonarQube

Integrating SonarQube into Cortex can help users monitor code quality and security through the use of Scorecards.

June 10, 2021

SonarQube empowers developers to write clean and safe code. It continuously assesses code quality and provides a detailed report of bugs, vulnerabilities, and code duplications.

By integrating SonarQube into Cortex, you’ll be able to leverage all SonarQube has to offer alongside your other integrations in Scorecards leaving you with the rich and high quality understanding of your platform and services. A great example of the types of Scorecard that benefit from SonarQube are ones that target operational readiness, availability, and quality. 

To get started see our documentation for adding SonarQube to Cortex.

Scorecard Integration

After you’ve added SonarQube to Cortex, you can create Scorecards that measure how your services are doing specific to code quality and security. There are a couple of SonarQube specific rules that you can add to a Scorecard and give points depending on how important it is to your team.

For SonarQube, you can check if a service has:

  • Proper SonarQube coverage 
  • Run a SonarQube scan recently
  • Code smells

Measuring Operational Readiness 

A great example of using SonarQube alongside other integrations is by creating a Scorecard that measures Operational Readiness. A Scorecard focused on this will help you know when your service is ready to be deployed to production. You can check that there are runbooks, dashboards, logs, on call escalation policies, accountable owners, and no vulnerabilities: 

  • owners.count > 2 - there are owners defined for the service, so in case of incident the accountable team is clear
  • oncall.escalations.count > 1 - there are at least 2 levels in the escalation policy, so that if the first on-call does not ack, there is a backup
  • runbooks.count >= 1 - there are runbooks in place for the service. Creates a culture of preparation
  • links("logs").count > 1 - when there is an incident, responders can easily find the right logs (usually load balancer logs + application logs)
  • dashboards count >= 1 - there is a standard grafana dashboard defined for the service
  • custom("pre-prod-enabled") = true - use an asynchronous process to check whether there is a live pre-prod environment for the service, and send a true/false flag to Cortex using the custom metadata API.
  • sonarqube.metric("vulnerabilities") < 0 - ensure that production services are not deployed with any security vulnerabilities

Once you have a Scorecard like this set up, you can start using initiatives to drive progress across the organization on these goals. 

Start using Cortex & SonarQube today

With Cortex's SonarQube integration, you'll be able to map SonarQube’s data to services. Additionally, you can set objective standards for service quality using Scorecards and drive org-wide initiatives to improve on your services using Initiatives. Visit our documentation to integrate SonarQube with Cortex. If you're new to Cortex, set up a demo with our team to get started. 

What's driving urgency for IDPs?