SonarQube is a great code inspection tool for code quality and code security. It provides Docker image for easy setup of the server, and Maven plugin for code inspection.

Install and Setup SonarQube

1. Install SonarQube from Docker image.

    docker run -d --name sonarqube \
    -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true \
    -p 9000:9000 sonarqube:latest
   

   • To restart:

    docker restart sonarqube

1. Once the instance is up and running, log in to http://localhost:9000 using System Administrator credentials:

    login: admin
    password: admin
   

   • Change password for first time login as requested.

2. Generate a token.

   i. From the menu at top right corner, click "My Account".

   

   ii. Select the "Security" tab.

   

   iii. In the "Tokens" section, enter Token Name and click the "Generate" button.

   

Run code inspection using Maven plugin

1. Add Maven plugin in pom.xml.

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.sonarsource.scanner.maven</groupId>
                    <artifactId>sonar-maven-plugin</artifactId>
                    <version>3.9.1.2184</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>
   

2. Run analysis using the following command:

    export PROJECT_KEY=hello-world
    export SONAR_URL=http://localhost:9000
    export SONAR_TOKEN=74747088e1eb4cb74efd2495f351b5125214b74e
   
    mvn clean verify sonar:sonar \
        -Dsonar.projectKey=$PROJECT_KEY \
        -Dsonar.host.url=$SONAR_URL \
        -Dsonar.login=$SONAR_TOKEN
   

3. Check the result via the admin console.