SonarQube is an open-source platform that allows you to run static code analysis on a wide range of languages.
For Apex code, SonarQube offers SonarApex, an on-premise static code analyzer which includes a set of rules that help you detect vulnerabilities and code smells.
How to Use SonarApex to Run Static Code Analysis in Copado
If you want to use SonarApex to execute static code analysis in Copado, you need to use the CodeScan record type.
Follow the steps below to configure the static code analysis settings to work with SonarQube:
- Navigate to the Static Code Analysis Settings tab and click on New.
- Select the CodeScan record type.
- Give your static code analysis settings a name.
- Choose the On-premise SonarQube option in the CodeScan Version picklist field.
- Create your token following these steps:
- Open your On-Premise SonarQube server URL.
- Enter your username and password and log in.
- In the top right corner click on My Account > Security.
- Enter a token name and generate it.
- Expose the machine where SonarQube is installed and add the URL to the CodeScan URL field.
- Click on Save.
To run static code analysis, follow the steps provided in the article Run Static Code Analysis.
When Copado tries to access the SonarQube server URL, the connection will fail because there is a firewall that restricts Copado from accessing the SonarQube server.
Your IT/Security team must configure the firewall so that it accepts incoming requests from the Copado backend. The team must:
- Enable (whitelist) the requests coming from the Copado backend IP addresses.
- Open port 443 for the Copado IP addresses.