Why SonarQube for Java?

SonarQube is the industry-standard platform for continuous code quality inspection. For Java projects, it provides over 600 built-in rules covering bugs, vulnerabilities, code smells, and maintainability issues. It computes many of the same metrics the CK suite covers — coupling, complexity, coverage — and presents them in a rich dashboard that teams can track over time.

Installation: Local Setup with Docker

The fastest way to get SonarQube running locally is with Docker:

docker run -d --name sonarqube \
  -p 9000:9000 \
  sonarqube:community

Once running, open http://localhost:9000 and log in with admin / admin. You'll be prompted to change the password on first login. The Community Edition is free and open source — ideal for individual developers and small teams.

Analyzing a Maven Project

Add the SonarQube Maven plugin to your pom.xml:

<plugin>
  <groupId>org.sonarsource.scanner.maven</groupId>
  <artifactId>sonar-maven-plugin</artifactId>
  <version>3.10.0.2594</version>
</plugin>

Then run the analysis:

mvn clean verify sonar:sonar \
  -Dsonar.projectKey=my-java-project \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=YOUR_TOKEN

Generate a token under My Account → Security in the SonarQube UI.

Key Metric Categories in SonarQube

CategoryWhat It MeasuresKey Threshold
ReliabilityBugs that will cause runtime failures0 new bugs
SecurityVulnerabilities and hotspots0 new vulnerabilities
MaintainabilityCode smells, technical debtDebt ratio < 5%
CoverageUnit test line and branch coverage> 80%
DuplicationsCopy-paste code blocks< 3% duplicated lines

Configuring Quality Gates

A Quality Gate is a set of pass/fail conditions that SonarQube evaluates after each analysis. The default "Sonar Way" gate is a solid starting point. To customize it:

  1. Navigate to Quality Gates in the SonarQube UI.
  2. Copy the "Sonar Way" gate to create your own.
  3. Add conditions such as: "Coverage on New Code must be greater than 75%".
  4. Assign your gate to the project under Project Settings → Quality Gate.

When a build fails the Quality Gate, your CI pipeline should fail too — this is the core of enforcing standards automatically.

CI/CD Integration: GitHub Actions Example

- name: SonarQube Scan
  run: mvn sonar:sonar
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

Store SONAR_TOKEN and SONAR_HOST_URL as encrypted GitHub secrets. On every pull request, SonarQube will comment with a summary and block the merge if the Quality Gate fails.

Useful Java-Specific Rules to Enable

  • squid:S1192 — String literals should not be duplicated.
  • squid:S3776 — Cognitive complexity of methods should not be too high.
  • squid:S1200 — Classes should not be coupled to too many other classes (CBO).
  • squid:S2176 — Class names should not shadow interfaces or superclasses.

Getting the Most from SonarQube

Start by fixing all blocker and critical issues before moving on to major ones. Use the Technical Debt view to understand how much remediation effort your codebase requires. Reviewing the debt trend over sprints is one of the clearest indicators of whether your engineering practices are improving.