I recently had a conversation with a customer who is working with Azure DevOps and wants to implement SonarCloud. My colleague @mkaufmannblog had an article about that 4 years ago, but tools continue to evolve so here’s an update on that.
SonarCloud did an amazing job on guiding you through setup on their side (see the docs). However, there is a gap in what you need to do on the Azure DevOps side. My goal is to fill this gap.
I asume that you already have set up an organization and your project in SonarCloud. If not, do so and keep the required Azure DevOps PAT (Personal Access Token) with the Code (read and write) permissions for later usage. Fine, now we will enable each tool to interact with the other.
Enable SonarCloud for Pull Request Analysis with Azure DevOps
First enable SonarCloud for interaction with Azure DevOps. This can be set up in the Administration Tab.
In the Pull Request Menu select the Provider Azure DevOps Service and enter an Azure DevOps Personal Access token with Code (read and write) permissions (I used the same as for importing the organization).
Do not forget to click on both save buttons!!! 😉
Trigger SonarCloud Analysis from Azure DevOps Pipelines
Afterwards set up Azure DevOps to interact with SonarCloud. Go back to the project start page and choose With Azure DevOps Pipeline as your analysis method.
This guides you through installing the necessary extension in your AzureDevOps organization and gives you a token, that you can use to create a service connection to SonarCloud in your Azure DevOps project.
As I want to analyze a JavaScript project, I’ll choose the option other Other to configure my pipeline. This gives me detailed instructions on how to configure the SonarCloudPrepare task.
The pipeline for my JS project looks like this:
# Node.js
# Build a general Node.js project with npm.
# Add steps that analyze code, save build artifacts, deploy, and more:
# https://docs.microsoft.com/azure/devops/pipelines/languages/javascript
trigger:
branches:
include:
- 'main'
pool:
vmImage: ubuntu-latest
steps:
- checkout: self
fetchDepth: 0
- task: NodeTool@0
inputs:
versionSpec: '16.x'
displayName: 'Install Node.js'
- task: SonarCloudPrepare@1
inputs:
SonarCloud: 'SonarCloud' # name of your SonarCloud service connection
organization: 'mboden' # name of the SonarCloud organization as given above
scannerMode: 'CLI'
projectKey: 'mboden_sonarcloud-demo' # SonarCloud project key as given above
projectName: 'sonarcloud-demo' # SonarCloud project name as given above
displayName: 'SonarCloud Configure'
- script: |
npm install
displayName: 'Install Dependencies'
- script: |
npm run tslint
displayName: 'Lint'
- script: |
npm run build
displayName: 'Build'
- script: |
npm run test
displayName: 'Test'
- task: SonarCloudAnalyze@1
inputs:
jdkversion: 'JAVA_HOME_11_X64'
displayName: 'SonarCloud Analyze'
- task: SonarCloudPublish@1
inputs:
pollingTimeoutSec: '300'
displayName: 'SonarCloud Publish'
Setting up this pipeline in Azure DevOps and running it once will already show some results for the main branch in SonarCloud.
Now I want to analyze a topic branch and make use of the pull request quality gates of SonarCloud. This requires me to set up some branch policies for the main branch.
Enabling Check for comment resolution will require any reviewer of the pull request to resolve the comments made by SonarCloud within the pull request. To enable pull request validation in SonarCloud a build validation for the pipeline has to be set up.
I select the sonarcloud-demo pipeline I created earlier, leave all settings to default and give it a nice display name.
Now everything is set up to create a branch, check in some code that does not pass the validation and push it to the repo. Afterwards I will create a pull request to see the quality gates failed. As we can see, SonarCloud did all the checks and not only we can see the quality gates are not passed but sonarcloud also created comments with necessary changes.
A click on Quality Gate Failed directly redirects to SonarCloud.
After running this once on a pull request, azure devops got the first analysis results and you can setup status checks. This will prevent the pull request from being merged as long as the quality gates are failed. To do so switch again to the the branch policy settings for your default branch.
Select the status check and either give custom Genre and Name or stay with the defaults. Click save.
Note: The pipeline has to run at least once for a pull request, before the corresponding status checks will appear in the Dropdown list.
That’s it! We successfully integrated SonarCloud code quality checks with Azure DevOps pipelines and pull requests and prevent pull request from being merged before the quality gates are passed and detected issues are resolved.
Links
Sonarcloud Project: https://sonarcloud.io/project/configuration/AzurePipe?id=mboden_sonarcloud-demo
Azure DevOps Project: https://dev.azure.com/mboden/sonarcloud-demo
Azure DevOps Pull Request: https://dev.azure.com/mboden/sonarcloud-demo/_git/sonarcloud-demo/pullrequest/2
About the author
writeabout.net 
Is there a way to fail build pipeline if the Sonar cloud quality gate fails?
There are also extensions that might achieve what you want, for example the SonarCloud build breaker (see https://marketplace.visualstudio.com/items?itemName=SimondeLang.sonarcloud-buildbreaker). But as Michael mentioned, best practice would be the approach using the status checks.
I think the better way is to add the Quality Gate as a required Status Check to the branch policy like explained in the post. You could fail the pipeline using the API (see https://writeabout.net/2018/09/25/fail-your-azure-devops-pipeline-if-sonarqube-quality-gate-fails/) – but I think the better approach is pull request decoration and policies.
Hi Michael/Marius,
Thanks for the response.
The issue I am facing is I have added sonar cloud analysis as build validation for pull requests and added Quality Gate as a required Status Check in branch policies. But When I run the build validation here quality gate is passing. When I run the build pipeline after merging the changes to the main branch, the quality gate is failing.
Thanks for this update. Did you, by chance, found out how to show a different name for the PR decoration feedback than your own name?
I would prefer it to be “Sonarcloud” instead of my name, to see the difference with my personal comments.
Hi Frankwin,
in this case you just need to replace your personal Azure DevOps PAT in SonarCloud with the one of a technical user.
As the docs state:
“We strongly encourage you to add a technical user to your organization, log in to SonarCloud using that technical user, and use the access token of that technical user to connect your Azure DevOps organization to SonarCloud.”
See the microsoft docs (https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-2) on how to create a service principal with username and password. This service principal has to be added to your organizations for sonarcloud and Azure DevOps. Afterwards you can login as the technical user and create PATs for SonarCloud and azure DevOps for that user.