DIT Digital Services Guidelines

Appearance

SonarQube

SonarQube is DIT's platform for continuous code quality and security analysis. All software projects must integrate with SonarQube to ensure code meets quality standards before deployment.

Overview

SonarQube performs:

  • Static Code Analysis – Identifies bugs, vulnerabilities, and code smells
  • Security Scanning – Detects security vulnerabilities and hotspots
  • Code Coverage – Tracks test coverage metrics
  • Technical Debt – Measures and tracks code maintainability

Quality Gates

DIT Quality Gate

All projects must pass DIT's quality gate before merging:

MetricThreshold
New Bugs0
New Vulnerabilities0
New Code Smells≤ 10
New Coverage≥ 70%
New Duplicated Lines≤ 3%
Security Hotspots Reviewed100%
New Security RatingA
New Reliability RatingA
New Maintainability RatingA

Quality Gate Enforcement

Quality gates are enforced in CI/CD pipelines. PRs that fail the quality gate cannot be merged without explicit approval from the Head of Digital Development.

Relaxed Quality Checks for Legacy Code

Stringent quality gates (such as zero new bugs or 70%+ coverage) are strictly enforced for new code. However, for existing codebases and legacy software, some quality requirements may be relaxed or applied incrementally.

  • Teams should focus on improving quality over time in older projects.
  • Quality gate failures caused solely by issues in legacy code may be temporarily allowed, provided that all new code meets the current standards.
  • Significant technical debt or security risks in legacy code should be documented and remediated as part of ongoing work.

Consult with the Head of Digital Development if you need an exemption for a legacy codebase or are unsure how best to proceed.

GitHub Integration

Workflow Configuration

To be added.

Pull Request Decoration

SonarQube automatically comments on PRs with analysis results:

  • Quality gate status
  • New issues introduced
  • Coverage changes
  • Duplication changes

Project Configuration

sonar-project.properties

Create a sonar-project.properties file in your repository root:

properties
# Project identification
sonar.projectKey=my-team_my-app
sonar.projectName=My Application
sonar.projectVersion=1.0.0

# Source code location
sonar.sources=src
sonar.tests=src
sonar.test.inclusions=**/*.test.ts,**/*.spec.ts

# Exclude files from analysis
sonar.exclusions=\
  **/node_modules/**,\
  **/dist/**,\
  **/coverage/**,\
  **/*.d.ts,\
  **/migrations/**

# Test coverage
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.typescript.lcov.reportPaths=coverage/lcov.info

# Encoding
sonar.sourceEncoding=UTF-8

Language-Specific Configuration

TypeScript/JavaScript

properties
sonar.sources=src
sonar.tests=src
sonar.test.inclusions=**/*.test.ts,**/*.spec.ts
sonar.typescript.lcov.reportPaths=coverage/lcov.info

Python

properties
sonar.sources=src
sonar.tests=tests
sonar.python.coverage.reportPaths=coverage.xml
sonar.python.xunit.reportPath=test-results.xml

Go

properties
sonar.sources=.
sonar.exclusions=**/*_test.go,**/vendor/**
sonar.tests=.
sonar.test.inclusions=**/*_test.go
sonar.go.coverage.reportPaths=coverage.out

Issue Categories

Bugs

Code defects that will cause incorrect behavior:

  • Null pointer dereferences
  • Infinite loops
  • Resource leaks
  • Logic errors

Severity Levels:

  • Blocker – High probability of impacting production
  • Critical – Low probability but high impact
  • Major – Significant code quality issue
  • Minor – Low-impact issue
  • Info – Informational only

Vulnerabilities

Security issues that could be exploited:

  • SQL injection
  • Cross-site scripting (XSS)
  • Insecure cryptography
  • Hardcoded credentials
  • Path traversal

Security Rating:

  • A – No vulnerabilities
  • B – Minor vulnerabilities
  • C – Major vulnerabilities
  • D – Critical vulnerabilities
  • E – Blocker vulnerabilities

Security Hotspots

Code that requires security review:

  • Authentication logic
  • Cryptographic operations
  • File operations
  • Database queries
  • HTTP redirects

Hotspots must be reviewed and marked as either:

  • Safe – No security issue after review
  • Fixed – Issue addressed in code
  • To Review – Pending review

Code Smells

Maintainability issues that make code harder to understand or modify:

  • Duplicated code
  • Complex methods
  • Large classes
  • Unused variables
  • Inconsistent naming

Coverage Requirements

Minimum Coverage

New code must achieve minimum 70% test coverage:

properties
# Quality gate condition
sonar.qualitygate.condition.newCoverage=70

Coverage Reports

Generate coverage reports in CI:

yaml
# Jest (TypeScript/JavaScript)
- name: Run tests
  run: pnpm test --coverage --coverageReporters=lcov

# pytest (Python)
- name: Run tests
  run: pytest --cov=src --cov-report=xml

# Go
- name: Run tests
  run: go test -coverprofile=coverage.out ./...

Branch Analysis

Main Branches

The dev or main branch is analyzed as long-lived branches with full history.

Pull Request Analysis

PRs are analyzed for:

  • New issues introduced
  • Coverage on new code
  • Quality gate status

Excluding Files

Exclude from Analysis

Files that should not be analyzed:

properties
sonar.exclusions=\
  **/node_modules/**,\
  **/dist/**,\
  **/build/**,\
  **/*.generated.ts,\
  **/migrations/**,\
  **/__mocks__/**

Exclude from Coverage

Files where coverage is not required:

properties
sonar.coverage.exclusions=\
  **/*.config.js,\
  **/index.ts,\
  **/*.d.ts,\
  **/migrations/**

Exclude from Duplication Detection

properties
sonar.cpd.exclusions=\
  **/*.generated.ts,\
  **/migrations/**

Best Practices

1. Fix Issues Early

Address issues when they're introduced, not after they accumulate:

  • Fix bugs and vulnerabilities immediately
  • Review security hotspots promptly
  • Refactor code smells during related work

2. Don't Suppress Without Reason

If you must suppress an issue, document why:

typescript
// NOSONAR: False positive - input is validated upstream
const query = `SELECT * FROM users WHERE id = ${userId}`;

3. Review Coverage Gaps

Low coverage indicates:

  • Missing tests for new features
  • Dead code that should be removed
  • Complex code that's hard to test

4. Monitor Technical Debt

Track technical debt over time. Increasing debt indicates:

  • Rushed development
  • Insufficient code review
  • Need for dedicated refactoring

5. Use IDE Integration

Install SonarQube for IDE in your editor to catch issues before committing.

Dashboard Access

DIT's SonarQube instance is accessible at here. For access and new project setup, please reach out to the DevOps Team.

By integrating SonarQube into all projects, DIT ensures consistent code quality, security, and maintainability across the entire software portfolio.