# Scanning a Spring Boot Project ## About This section explains **how a Spring Boot project is actually scanned by SonarQube**, what SonarQube expects from the build, and how analysis results flow into the dashboard and Quality Gates. Before scanning, the following must already be true: * Spring Boot project builds successfully * Java version supported by SonarQube * Tests can run (even if minimal) * SonarQube server is reachable * Authentication token is available SonarQube **assumes a healthy build**.\ If the build is broken, analysis quality is undefined. ### How SonarQube Fits into the Spring Boot Build ? SonarQube analysis runs **after compilation**, not before. Typical Spring Boot flow: ``` Source Code ↓ mvn compile ↓ mvn test (JaCoCo generates coverage) ↓ sonar:sonar ↓ SonarQube Dashboard + Quality Gate ``` SonarQube does **not**: * Start Spring context * Load application properties * Execute controllers or services It analyzes **code artifacts**, not runtime behavior. ## Option 1: Local SonarQube Using Docker + Maven Sonar Plugin *(Most common for learning, PoC, and early team setup)* This option is ideal when: * You want a self-contained setup * You are evaluating SonarQube * You want to scan locally before CI integration * You want zero infrastructure dependency This mirrors production behavior without CI complexity. {% hint style="warning" %} * SonarQube runs as a Docker container * Database runs as a Docker container * Spring Boot project runs locally * Maven triggers analysis using the Sonar plugin {% endhint %} ### Step-wise Process #### Step 1: Run SonarQube Using Docker A minimal Docker setup consists of: * SonarQube server * PostgreSQL database * Persistent volumes Typical responsibilities: * Docker handles runtime * SonarQube handles analysis & UI * PostgreSQL stores history and metrics This setup is **stateful** and should not be recreated every run. #### Step 2: Access SonarQube UI Once started: * SonarQube UI is available on `http://localhost:9000` * Default admin credentials are used initially * A project key and token are generated At this point, SonarQube is **ready to receive analysis reports**, but nothing has been scanned yet. #### Step 3: Configure Spring Boot Project for Analysis The Spring Boot project must: * Compile successfully * Produce bytecode * Produce test and coverage reports This is **non-negotiable for Java analysis**. SonarQube does not analyze: * Uncompiled code effectively * Runtime behavior * Spring context wiring #### Step 4: Use Maven Sonar Plugin to Trigger Scan The **Maven Sonar plugin** acts as the bridge between: * Your build * SonarQube server Key characteristics: * Runs after compilation and tests * Collects source + bytecode + reports * Uploads analysis results to SonarQube Typical flow: ``` mvn clean verify mvn sonar:sonar ``` Or combined: ``` mvn clean verify sonar:sonar ``` This is the **authoritative scan**, identical in behavior to CI scans. #### Step 5: Authentication and Project Binding During scan: * Project key identifies the service * Token authenticates the scanner * SonarQube binds results to the project After completion: * Issues appear in the UI * Ratings are calculated * Quality Gate is evaluated ### Script {% file src="" %} {% hint style="info" %} Script will pull the required docker images and run the Sonar Server. Ensure Docker is already setup. {% endhint %} ### Example Use the sample java project having required plugins {% file src="" %} Execute the Script using the below command as well provide the path of the springboot project {% code overflow="wrap" %} ``` ./script-to-run-local-sonar-analysis.sh /Users/pranayp/Documents/Project/codebase/sonar/springboot-sonar-demo ``` {% endcode %}
Open the Sonarqube console at with credential as admin/admin
Once done we can use below command to stop the containers ``` ./script-to-run-local-sonar-analysis.sh --clean ``` ## Option 2: Local SonarQube Using Docker + Maven Sonar Plugin This option lets developers get **real-time analysis** inside IntelliJ using the **same rules as the SonarQube server**, ensuring consistency and preventing CI failures before they happen. This is the most common developer workflow in real teams. #### Install SonarQube for IDE in IntelliJ Path: **IntelliJ → Settings → Plugins → Marketplace → “SonarQube”** Install: * “**SonarQube for IDE**”\ (formerly called **SonarLint**) Restart IntelliJ afterwards. #### Connect IntelliJ to the SonarQube Server *(Most important step — enables rule sync)* #### Steps: 1. IntelliJ Sidebar → **SonarQube** Tool Window 2. Click **“Bind Project to SonarQube”** 3. Add server connection * Name: Internal SonarQube * URL: `http://localhost:9000` (or company server) * Token: Personal access token from SonarQube 4. Select your project key 5. Connection established