Adding SonarQube to your Django project scanning your code locally
Django is a popular web framework used by many developers to build complex web applications. One aspect of building reliable and efficient software is ensuring that it is free from bugs and security vulnerabilities. To help with this, there are many tools available for code analysis and testing, one of which is SonarQube.
SonarQube is an open-source platform for continuous code quality and security inspection. It provides a dashboard to track and manage code quality, code coverage, and security vulnerabilities. SonarQube can be easily integrated into any development environment, including Django projects.
In this article, we will explore how to add SonarQube from Docker Hub to your Django project.
I had some issues when adding SonarQube to my Django Project, so will show some troubleshooting that I encountered too.
Prerequisites
Before we begin, ensure that you have the following installed on your system:
- Docker Desktop
- Python
- Django
Step 1: Pull the SonarQube image from Docker Hub
The first step is to pull the SonarQube image from Docker Hub. Open a terminal window and enter the following command:
$ docker pull sonarqubeThis command will download the latest SonarQube image from Docker Hub to your local machine.
macbook-pro:kintaidemo yukinagano$ docker pull sonarqube
Using default tag: latest
latest: Pulling from library/sonarqube
Digest: sha256:a4e5a2d3d6deee2680d397ee3423f0a3477a98dde17fdf2986f2e0c70272bd57
Status: Downloaded newer image for sonarqube:latest
docker.io/library/sonarqube:latest
macbook-pro:kintaidemo yukinagano$ Step 2: Start the SonarQube container
Now that you have the SonarQube image, you can start a new container with the following command
$ docker run -d --name sonarqube -p 9000:9000 sonarqube:latestThis command will start a new SonarQube container in detached mode, named sonarqube, and map the container port 9000 to the host port 9000. This means that you can access the SonarQube dashboard by opening your browser and going to http://localhost:9000.
Troubleshooting
When you run “sonarqube” instead of “sonarqube:latest” just as it’s described on their official page (https://hub.docker.com/_/sonarqube/), you’ll get this kind of error;
(kintaidemo) macbook-pro:kintaidemo yukinagano$ docker run -d — name sonarqube -p 9000:9000 sonarqube;
docker: Error response from daemon: Conflict. The container name “/sonarqube” is already in use by container “e7497d5a1332ab62eb1b52cac3c9ddf1497b496ad65fbfaf30440764ef0139d3”. You have to remove (or rename) that container to be able to reuse that name.
See ‘docker run — help’.So make sure you run the container image as “sonarqube:latest”.
Step 3: Create Project and Setup the Scanner
The next step is to create your project and set up the scanner to analyze code and send the results to SonarQube.
Once you log in, you can first log in with admin/admin as username and password, then it leads you to a page to change your password.
Go to “Create Project”, and select “Manually”.
Configure the Project display name and the Project key (in default they are the same);
Step 4: Configure your Django project for SonarQube
To configure your Django project for SonarQube, you need to add a sonar-project.properties file to your project’s root directory. This file contains the configuration for the SonarQube Scanner, such as the project key, project name, and source directories.
Firstly, create a sonar-project.properties file in your repository and paste the following code
sonar.projectKey=my-django-projectGo back to http://localhost:9000, select “locally”
It lets you generate a token and choose your build and OS, it shows like this;
Go to the official documentation of the scanner and execute the zip file.
Step 5: Run the SonarQube Scanner
Now that you have configured your Django project for SonarQube, you can run the SonarQube Scanner with the following command as the instruction provides:
sonar-scanner \
-Dsonar.projectKey=my-django-project \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.login={{generated token}}Or you can add the same things in sonar-project.properties;
sonar.projectKey=my-django-project
sonar.sources=.
sonar.host.url=http://localhost:9000
sonar.login={{generated token}}
sonar.exclusions=**/test_*.py
sonar.python.coverage.reportPath=coverage.xmlIf succeeded, it shows like this;
...
INFO: ANALYSIS SUCCESSFUL, you can find the results at: http://localhost:9000/dashboard?id=my-django-project
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AYdFCFmfEF6UrGbvahhA
INFO: Analysis total time: 19.407 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 26.411s
INFO: Final Memory: 24M/87M
INFO: ------------------------------------------------------------------------The command will analyze your code and send the results to SonarQube. You can then view the results in the SonarQube dashboard.
Troubleshooting — EXECUTION FAILURE
I got execution failure many times until I got the scanned page.
One of them was Not authorized.
ERROR: Not authorized. Analyzing this project requires authentication.
Please provide a user token in sonar.login or other credentials in sonar.login and sonar.password.If you encounter this error, you might want to check the authentication settings in SonarQube.
Go to Administration on your SonarQube page,
Disable “Force user authentication” in the Security section.
Conclusion
In this article, we have explored how to add SonarQube from Docker Hub to your Django project. SonarQube is a powerful tool for continuous code quality and security inspection, and integrating it into your Django project can help you identify and fix issues before they become major problems. By following the steps outlined in this article, you can easily add SonarQube.
This time we go over with local scan, but the next journey would be to be able to scan code once push/pull request.
Thanks for reading!
