Updated 4 days ago by Copado Solutions


SonarQube is an open-source platform that allows you to run static code analysis on a wide range of languages.

For Apex code, SonarQube offers SonarApex, an on-premise static code analyzer which includes a set of rules that help you detect vulnerabilities and code smells. 

Please note that SonarApex is only available in SonarQube Enterprise Edition. If you want to use this static code analysis tool, you will need to get an Enterprise Edition license.

How to Use SonarApex to Run Static Code Analysis in Copado

If you want to use SonarApex to execute static code analysis in Copado, you need to use the CodeScan record type. 

Follow the steps below to configure the static code analysis settings to work with SonarQube:

  1. Navigate to the Static Code Analysis Settings tab and click on New.
  2. Select the  CodeScan record type.
  3. Give your static code analysis settings a name.
  4. Choose the On-premise SonarQube option in the CodeScan Version picklist field.
  5. Create your token following these steps:
    1. Open your On-Premise SonarQube server URL.
    2. Enter your username and password and log in.
    3. In the top right corner click on My Account > Security.
    4. Enter a token name and generate it.
  6. Expose the machine where SonarQube is installed and add the URL to the CodeScan URL field.
  7. Click on Save.

To run static code analysis, follow the steps provided in the article Run Static Code Analysis.

Firewall Configuration

When Copado tries to access the SonarQube server URL, the connection will fail because there is a firewall that restricts Copado from accessing the SonarQube server.

Your IT/Security team must configure the firewall so that it accepts incoming requests from the Copado backend. The team must:

  1. Enable (whitelist) the requests coming from the Copado backend IP addresses.
  2. Open port 443 for the Copado IP addresses.

How did we do?