SonarQube Application Guide
SonarQube is an open-source platform for continuous code quality and security inspection, detecting bugs, vulnerabilities, and code smells across 30+ programming languages.
Status: Plugin Example (Community Contribution)
Note: SonarQube is implemented as a plugin example in cfc-testing to demonstrate the ApplicationSpec plugin system. It serves as a template for creating custom application plugins.
Quick Reference
| Property | Value |
|---|---|
| Application ID | sonarqube |
| Category | Code Quality |
| Default Image | sonarqube:lts-community |
| Application Port | 9000 |
| Default CPU | 2048 (Fargate) |
| Default Memory | 4096 MB (Fargate) |
| Default Instance | t3.medium (EC2) |
| Health Check Path | /api/system/health |
| Health Check Grace | 300 seconds |
| Supports Fargate | Yes |
| Supports EC2 | Yes |
| OIDC Support | No (Community Edition) |
| Database Required | No (embedded H2) |
Editions
Important: Unlike Mattermost and Metabase, SonarQube editions are separate products:
| Edition | License | OIDC/SAML | Features |
|---|---|---|---|
| Community | Free | No | Basic analysis, 15+ languages |
| Developer | Paid | Yes | Branch analysis, PR decoration |
| Enterprise | Paid | Yes | Portfolio management, security reports |
| Data Center | Paid | Yes | High availability, horizontal scaling |
CloudForge deploys Community Edition by default. Enterprise features require purchasing and deploying a different image.
Capabilities
- Static code analysis
- Security vulnerability detection (OWASP Top 10, CWE)
- Code smell detection
- Technical debt tracking
- Quality gates
- Multi-language support (30+ languages)
- CI/CD integration
- IDE integration (SonarLint)
- Quality profiles
- Custom rules
Optional Ports
SonarQube does not have optional ports. All traffic flows through port 9000.
Authentication
Supported Auth Modes
| Mode | Status | Description |
|---|---|---|
alb-oidc | Available | ALB-level authentication |
none | Available | Local accounts only |
Note: Native OIDC/SAML requires Developer Edition or higher.
Environment Variables
| Variable | Description | Example |
|---|---|---|
SONAR_WEB_CONTEXT | Context path | / |
SONAR_WEB_HOST | Bind address | 0.0.0.0 |
SONAR_WEB_PORT | Application port | 9000 |
SONAR_WEB_PUBLIC_URL | External URL | https://sonar.example.com |
SONAR_WEB_JAVAADDITIONALOPTS | Web JVM options | -XX:+UseG1GC -Xmx2g |
SONAR_CE_JAVAADDITIONALOPTS | Compute Engine JVM options | -XX:+UseG1GC -Xmx1g |
System Requirements
SonarQube has specific system requirements for Elasticsearch:
| Requirement | Value |
|---|---|
vm.max_map_count | 262144 |
nofile limit | 65536 |
nproc limit | 4096 |
| Java | 17+ |
CloudForge automatically configures these for EC2 deployments.
Storage Configuration
Container (Fargate)
| Property | Value |
|---|---|
| Data Path | /opt/sonarqube/data |
| EFS Path | /sonarqube |
| Volume Name | sonarqubeData |
| Container User | 1000:1000 |
| EFS Permissions | 755 |
EC2
| Property | Value |
|---|---|
| EBS Device | /dev/xvdh |
| Data Path | /opt/sonarqube/data |
| Log Paths | /opt/sonarqube/logs/sonar.log, /opt/sonarqube/logs/web.log, /opt/sonarqube/logs/ce.log |
Deployment Context Examples
Development
{
"stackName": "SonarQube-Dev",
"applicationId": "sonarqube",
"applicationName": "SonarQube Dev",
"description": "SonarQube code quality server",
"environment": "development",
"runtime": "fargate",
"securityProfile": "dev",
"topology": "application-service",
"networkMode": "public-no-nat",
"region": "us-east-1",
"authMode": "none",
"cpu": 2048,
"memory": 4096,
"enableMonitoring": true,
"logRetentionDays": "7"
}
Cost estimate: ~$60/month
Production - With ALB Authentication
{
"stackName": "SonarQube-Production",
"applicationId": "sonarqube",
"applicationName": "SonarQube",
"description": "Production code quality server",
"environment": "production",
"runtime": "ec2",
"securityProfile": "production",
"topology": "application-service",
"domain": "example.com",
"subdomain": "sonar",
"enableSsl": true,
"networkMode": "private-with-nat",
"region": "us-east-1",
"authMode": "alb-oidc",
"cognitoAutoProvision": true,
"cognitoDomainPrefix": "sonarqube-prod-yourcompany",
"cognitoMfaEnabled": true,
"cognitoMfaMethod": "totp",
"instanceType": "t3.medium",
"minInstanceCapacity": 1,
"maxInstanceCapacity": 2,
"complianceFrameworks": "SOC2",
"scopeConfigRulesToDeployment": false,
"awsConfigEnabled": true,
"guardDutyEnabled": true,
"wafEnabled": true,
"albAccessLogging": true,
"enableMonitoring": true,
"enableEncryption": true,
"logRetentionDays": "730",
"retainStorage": true
}
Cost estimate: ~$250/month
Production - With External Database
For high availability, use PostgreSQL instead of embedded H2:
{
"stackName": "SonarQube-HA",
"applicationId": "sonarqube",
"applicationName": "SonarQube HA",
"description": "High availability SonarQube",
"environment": "production",
"runtime": "ec2",
"securityProfile": "production",
"topology": "application-service",
"domain": "example.com",
"subdomain": "sonar",
"enableSsl": true,
"networkMode": "private-with-nat",
"region": "us-east-1",
"authMode": "alb-oidc",
"cognitoAutoProvision": true,
"cognitoDomainPrefix": "sonarqube-ha-yourcompany",
"cognitoMfaEnabled": true,
"instanceType": "t3.large",
"minInstanceCapacity": 2,
"maxInstanceCapacity": 4,
"enableAutoScaling": true,
"provisionDatabase": true,
"databaseEngine": "postgres",
"databaseVersion": "15",
"databaseInstanceClass": "db.t3.medium",
"databaseAllocatedStorageGB": 50,
"databaseMultiAz": true,
"databaseName": "sonarqube",
"databaseBackupRetentionDays": 30,
"complianceFrameworks": "SOC2",
"awsConfigEnabled": true,
"guardDutyEnabled": true,
"wafEnabled": true,
"enableMonitoring": true,
"enableEncryption": true,
"logRetentionDays": "730",
"retainStorage": true
}
Note: When using external database, update sonar.properties with JDBC connection.
Cost estimate: ~$400/month
Plugin Development Reference
SonarQube in CloudForge demonstrates the ApplicationSpec plugin pattern:
@ApplicationPlugin(
value = "sonarqube",
category = "code-quality",
displayName = "SonarQube",
description = "Continuous code quality inspection",
defaultCpu = 2048,
defaultMemory = 4096,
defaultInstanceType = "t3.medium",
supportsFargate = true,
supportsEc2 = true,
supportsOidc = false // Community Edition
)
public class SonarQubeApplicationSpec implements ApplicationSpec {
// Implementation
}
Location: cfc-testing/src/main/java/com/cloudforgeci/samples/plugins/application/
Post-Deployment Tasks
1. Initial Login
- Navigate to
https://sonar.your-domain.com - Default credentials:
admin/admin - Immediately change password
2. Create Quality Profiles
- Quality Profiles > Create
- Select language
- Activate rules based on standards
3. Create Quality Gates
- Quality Gates > Create
- Set conditions (coverage, duplications, etc.)
- Assign to projects
4. Generate Tokens
For CI/CD integration:
- My Account > Security
- Generate Tokens
- Use in CI/CD pipelines
5. Configure Project Analysis
Maven:
mvn sonar:sonar \
-Dsonar.host.url=https://sonar.example.com \
-Dsonar.token=your-token
Gradle:
./gradlew sonarqube \
-Dsonar.host.url=https://sonar.example.com \
-Dsonar.token=your-token
Troubleshooting
SonarQube won't start
Check Elasticsearch requirements:
# Verify vm.max_map_count
sysctl vm.max_map_count
# Should be 262144
# Check logs
tail -f /opt/sonarqube/logs/sonar.log
tail -f /opt/sonarqube/logs/es.log
Out of memory
Increase JVM heap:
{
"cpu": 4096,
"memory": 8192
}
Or for EC2:
{
"instanceType": "t3.large"
}
Analysis taking too long
- Check Compute Engine logs
- Increase CE workers in settings
- Consider dedicated database