Scanning a Spring Boot Project
About
This section explains how a Spring Boot project is actually scanned by SonarQube, what SonarQube expects from the build, and how analysis results flow into the dashboard and Quality Gates.
Before scanning, the following must already be true:
Spring Boot project builds successfully
Java version supported by SonarQube
Tests can run (even if minimal)
SonarQube server is reachable
Authentication token is available
SonarQube assumes a healthy build. If the build is broken, analysis quality is undefined.
How SonarQube Fits into the Spring Boot Build ?
SonarQube analysis runs after compilation, not before.
Typical Spring Boot flow:
Source Code
↓
mvn compile
↓
mvn test (JaCoCo generates coverage)
↓
sonar:sonar
↓
SonarQube Dashboard + Quality GateSonarQube does not:
Start Spring context
Load application properties
Execute controllers or services
It analyzes code artifacts, not runtime behavior.
Option 1: Local SonarQube Using Docker + Maven Sonar Plugin
(Most common for learning, PoC, and early team setup)
This option is ideal when:
You want a self-contained setup
You are evaluating SonarQube
You want to scan locally before CI integration
You want zero infrastructure dependency
This mirrors production behavior without CI complexity.
SonarQube runs as a Docker container
Database runs as a Docker container
Spring Boot project runs locally
Maven triggers analysis using the Sonar plugin
Step-wise Process
Step 1: Run SonarQube Using Docker
A minimal Docker setup consists of:
SonarQube server
PostgreSQL database
Persistent volumes
Typical responsibilities:
Docker handles runtime
SonarQube handles analysis & UI
PostgreSQL stores history and metrics
This setup is stateful and should not be recreated every run.
Step 2: Access SonarQube UI
Once started:
SonarQube UI is available on
http://localhost:9000Default admin credentials are used initially
A project key and token are generated
At this point, SonarQube is ready to receive analysis reports, but nothing has been scanned yet.
Step 3: Configure Spring Boot Project for Analysis
The Spring Boot project must:
Compile successfully
Produce bytecode
Produce test and coverage reports
This is non-negotiable for Java analysis.
SonarQube does not analyze:
Uncompiled code effectively
Runtime behavior
Spring context wiring
Step 4: Use Maven Sonar Plugin to Trigger Scan
The Maven Sonar plugin acts as the bridge between:
Your build
SonarQube server
Key characteristics:
Runs after compilation and tests
Collects source + bytecode + reports
Uploads analysis results to SonarQube
Typical flow:
Or combined:
This is the authoritative scan, identical in behavior to CI scans.
Step 5: Authentication and Project Binding
During scan:
Project key identifies the service
Token authenticates the scanner
SonarQube binds results to the project
After completion:
Issues appear in the UI
Ratings are calculated
Quality Gate is evaluated
Script
Example
Use the sample java project having required plugins
Execute the Script using the below command as well provide the path of the springboot project
Open the Sonarqube console at http://localhost:9000 with credential as admin/admin
Once done we can use below command to stop the containers
Option 2: Local SonarQube Using Docker + Maven Sonar Plugin
This option lets developers get real-time analysis inside IntelliJ using the same rules as the SonarQube server, ensuring consistency and preventing CI failures before they happen. This is the most common developer workflow in real teams.
Install SonarQube for IDE in IntelliJ
Path:
IntelliJ → Settings → Plugins → Marketplace → “SonarQube”
Install:
“SonarQube for IDE” (formerly called SonarLint)
Restart IntelliJ afterwards.
Connect IntelliJ to the SonarQube Server
(Most important step — enables rule sync)
Steps:
IntelliJ Sidebar → SonarQube Tool Window
Click “Bind Project to SonarQube”
Add server connection
Name: Internal SonarQube
URL:
http://localhost:9000(or company server)Token: Personal access token from SonarQube
Select your project key
Connection established
Last updated