Analyse Your Source with Sonarqube in 5 minutes


For quickly setting up Sonarqube and run a scan on your Java code, do the following.

Start the Sonarqube server Docker container

$ docker run -ti sonarqube:lts

Get a hold of the IP of the Sonarqube container

$ docker ps -q |
  xargs docker inspect --format='{{range $n, $c := .NetworkSettings.Networks}}{{$c.IPAddress}}{{end}}'
172.17.0.2

Run the Sonarqube scan on your source code

Run the Sonarqube scan and post the results to the process in the Docker container.

$ mvn sonar:sonar -Dsonar.host.url=http://172.17.0.2:9000

Browse the Sonarqube results

Point your web browser at http://172.17.0.2:9000

Persistent storage

If you want a Docker cluster with Sonarqube and Postgres, download this docker-compose from the Sonarqube Docker repository, and run:

$ sudo sysctl -w vm.max_map_count=262144
$ docker-compose up

To make the kernel setting permanent:

# cat >> /etc/sysctl.d/99-sonarqube.conf <<EOF

# Needed by Sonarqube/Elastic search
vm.max_map_count=262144 
EOF

Closing words

The promise of doing all of this in 5 minutes depends on the speed on your network connection, your computer and last but not least: the size of your Java project 😄

Happy security scanning!


Licensed under CC BY Creative Commons License ~ ✉ torstein.k.johansen @ gmail ~ 🐘 @skybert@hachyderm.io ~ 🐦 @torsteinkrause