Contents

• Overview
• Key Features
• Getting Started
• Project Setup and Scanning
• Permissions and Access Control
• Best Practices and Troubleshooting
• Support and Administration
• Notes for Public Repositories

Overview

SonarQube is a powerful static code analysis platform that continuously inspects your source code for bugs, code smells, security vulnerabilities, and code duplications. At UCSF, it serves as a core enterprise tool in the Quality Engineering (QE) toolbox, enabling teams to shift quality left by embedding automated code quality and security checks directly into the development lifecycle.

  Back to Top

Key Features

• Multi-Language Support: Java, JavaScript, TypeScript, Python, C#, C++, Go, HTML, CSS, and more
• Security Vulnerability Detection: OWASP Top 10, SANS Top 25, and CWE coverage
• Code Quality Gates: Automatically pass or fail builds based on customizable quality criteria
• Pull Request Analysis: Provides inline feedback in GitHub/GitLab/Bitbucket PRs
• Historical Metrics: Track code quality over time and identify technical debt
• Custom Rules & Plugins: Extend with organization-specific rules or integrations

  Back to Top

Getting Started

Prerequisites

• UCSF SSO credentials
• Access to sonarqube.ucsf.edu
• Appropriate GitHub permissions (Cloud or On-Prem)

Initial Access

1. Login to https://sonarqube.ucsf.edu using your SSO credentials
2. First-time users: Ask your team lead (or a SonarQube Admin) to add you to required “SonarQube Projects” or repos
3. Team leads: Request group creation from SonarQube Admin ([email protected])

⚠️ If you've just been added to a group, you'll need to log out and login again, so your session has your group membership associated with your account

GitHub Integration Setup

For GitHub Enterprise Cloud (GHEC)

1. Visit https://github.com/apps/ucsf-sonarqube-cloud-public-repo
2. Select your organization (not personal account)
3. Choose “All repositories” or “Only select repositories”
4. Click “Install” or “Request" (if insufficient permissions)

For GitHub On-Prem (GHES)

1. Visit https://git.ucsf.edu/github-apps/sonarqube-enterprise-app
2. Follow same steps as GitHub Cloud setup

  Back to Top

Project Setup and Scanning

Creating a New Project

1. Click “Create Project” on the SonarQube dashboard
2. Select “From GitHub”
3. Choose appropriate GitHub configuration:
   • “SonarQube Enterprise On-Prem” for git.ucsf.edu
   • “SonarQube Enterprise Cloud Public Repo” for github.com
4. Select repositories and import

Configuring Scans

1. Create GitHub Org-level secrets:
   • SONAR_TOKEN (generated from SonarQube account security)
   • SONAR_HOST_URL (https://sonarqube.ucsf.edu)
2. Add sonar-project.properties file
3. Configure GitHub Actions workflow

Example Workflows

• GHES example: UCSF-Shared/Devex-utils
• GHEC example: ilios/ilios

  Back to Top

Permissions and Access Control

Permission Levels

• Project Creation
• Project Settings
• Scan Viewing
• Administration

Group Management

• Groups typically match GitHub org names
• Managed by SonarQube admins
• Standard permissions template available

  Back to Top

Best Practices and Troubleshooting

Complex Projects

• Use multiple jobs for large codebases
• Split scans by language if needed
• Contact DevEx team for optimization help

Common Issues

• "You are not authorized" errors: if you've just been added to a group, you'll need to log out and login again, so your session has your group membership associated with your account
• Hostname errors: Check SONAR_HOST_URL configuration
• YAML formatting: Keep lines under 80 characters
• Memory issues: Consider splitting scans

Support and Administration

• Help Desk: help.ucsf.edu
• SonarQube Admin Contact: [email protected]
• Documentation: Official SonarQube Docs

  Back to Top

Notes for Public Repositories

• Limited public access available through “sonar-users” group
• Time-limited access recommended for special events
• Requires explicit admin approval

  Back to Top