Scanning a Spring Boot Project

About

This section explains how a Spring Boot project is actually scanned by SonarQube, what SonarQube expects from the build, and how analysis results flow into the dashboard and Quality Gates.

Before scanning, the following must already be true:

• Spring Boot project builds successfully

• Java version supported by SonarQube

• Tests can run (even if minimal)

• SonarQube server is reachable

• Authentication token is available

SonarQube assumes a healthy build. If the build is broken, analysis quality is undefined.

How SonarQube Fits into the Spring Boot Build ?

SonarQube analysis runs after compilation, not before.

Typical Spring Boot flow:

Source Code
   ↓
mvn compile
   ↓
mvn test (JaCoCo generates coverage)
   ↓
sonar:sonar
   ↓
SonarQube Dashboard + Quality Gate

SonarQube does not:

• Start Spring context

• Load application properties

• Execute controllers or services

It analyzes code artifacts, not runtime behavior.

Option 1: Local SonarQube Using Docker + Maven Sonar Plugin

(Most common for learning, PoC, and early team setup)

This option is ideal when:

• You want a self-contained setup

• You are evaluating SonarQube

• You want to scan locally before CI integration

• You want zero infrastructure dependency

This mirrors production behavior without CI complexity.

Step-wise Process

Step 1: Run SonarQube Using Docker

A minimal Docker setup consists of:

• SonarQube server

• PostgreSQL database

• Persistent volumes

Typical responsibilities:

• Docker handles runtime

• SonarQube handles analysis & UI

• PostgreSQL stores history and metrics

This setup is stateful and should not be recreated every run.

Step 2: Access SonarQube UI

Once started:

• SonarQube UI is available on http://localhost:9000

• Default admin credentials are used initially

• A project key and token are generated

At this point, SonarQube is ready to receive analysis reports, but nothing has been scanned yet.

Step 3: Configure Spring Boot Project for Analysis

The Spring Boot project must:

• Compile successfully

• Produce bytecode

• Produce test and coverage reports

This is non-negotiable for Java analysis.

SonarQube does not analyze:

• Uncompiled code effectively

• Runtime behavior

• Spring context wiring

Step 4: Use Maven Sonar Plugin to Trigger Scan

The Maven Sonar plugin acts as the bridge between:

• Your build

• SonarQube server

Key characteristics:

• Runs after compilation and tests

• Collects source + bytecode + reports

• Uploads analysis results to SonarQube

Typical flow:

Or combined:

This is the authoritative scan, identical in behavior to CI scans.

Step 5: Authentication and Project Binding

During scan:

• Project key identifies the service

• Token authenticates the scanner

• SonarQube binds results to the project

After completion:

• Issues appear in the UI

• Ratings are calculated

• Quality Gate is evaluated

Script

Example

Use the sample java project having required plugins

Execute the Script using the below command as well provide the path of the springboot project

Open the Sonarqube console at http://localhost:9000 with credential as admin/admin

Once done we can use below command to stop the containers

Option 2: Local SonarQube Using Docker + Maven Sonar Plugin

This option lets developers get real-time analysis inside IntelliJ using the same rules as the SonarQube server, ensuring consistency and preventing CI failures before they happen. This is the most common developer workflow in real teams.

Install SonarQube for IDE in IntelliJ

Path:

IntelliJ → Settings → Plugins → Marketplace → “SonarQube”

Install:

• “SonarQube for IDE” (formerly called SonarLint)

Restart IntelliJ afterwards.

Connect IntelliJ to the SonarQube Server

(Most important step — enables rule sync)

Steps:

1. IntelliJ Sidebar → SonarQube Tool Window

2. Click “Bind Project to SonarQube”

3. Add server connection

   • Name: Internal SonarQube

   • URL: http://localhost:9000 (or company server)

   • Token: Personal access token from SonarQube

4. Select your project key

5. Connection established