Improve your code quality with static code analysis

Your source code can be improved in multiple ways, for example with more education, using a coding standard, code reviewing, static code analysis and unit testing. A good code quality speeds up your development and saves time and money.

Hopefully all of the checks above are already in place, but if you’re missing the static code analysis part or are interested in SonarQube as static code analysis tool this article is for you.

SonarQube is a great tool for analysing and visualizing your code quality. It supports 27 programming languages (C, C++, C#, Python, Java, JavaScript, etc) and gives both a good overview and detailed information if needed – perfect for both managers and developers.

SonarQube Overview dashboard with helpful KPI’s (Key Performance Indicators).

If your project has been in a hectic release phase where the focus has been on delivering features and not on design discussions, unit testing and refactoring – the KPI’s on the SonarQube overview dashboard will probably visualize that. Example of KPI’s are: Security Hotspots, Technical depts (measured in time), number of bugs, number of code smells and duplicated code (measured in % and lines of code).

Pricing and hosting

Is SonarQube expensive? No, it’s actually free in most cases. You can choose between hosting your own SonarQube server and database or using SonarCloud. You can host your own SonarQube instance on-premises or in cloud (e.g. in a virtual machine in Azure/GCP/AWS). In the latter case, costs for the virtual machine and database will be added to your cloud bill. SonarCloud is free for public repositories but costs for private/non-public ones.

SonarQube consists of a scanner (that scans the source code), a server that receives the scanning results/report and a database. The scanner is preferrable installed and run by your Continous Integration (CI) and Pull/Merge Request pipelines. If you choose to host your own server, rembemer that you have the responsibility to keep the operating system and SonarQube server and database updated and secured.

It is also possible to integrate SonarQube into your IDE such as Visual Code or Visual Studio in order to get real-time feedback.

Example deployment diagram of self-hosted (on-premis or in cloud) of SonarQube.

If choosing SonarCloud, you only need to install the scanner in the CI/Pull/Merge Request pipeline. The server part is managed by SonarSource (the company behind SonarQube/SonarCloud).

Below is an example of when SonarCloud is used for scanning the code in a Pull Request (on GitHub). The comment below is inserted as a comment into the Pull Request. The result can also be viewed with more details on

A SonarCloud comment into a GitHub Pull Request (SonarCloud is free for public repositories).

Where to start the refactoring?

When it’s time to start refactoring the code, but you don’t know where to start, SonarQube have a good visualization for that. Under the Measures tab, there is a very nice graph of differnet files that with a reliability and security rating. I usually start with the worst file.

Visualization of the Worse of Reliability Rating and Security Rating.

Pimp your repo documentation with a badge

Brag about your top notch code quality with a badge.

My SonarQube experience

I have used and installed SonarQube privately and at different companies since many years. It has in all cases lead to better code quality. Both managers and developers have been very satisfied with the tool and I have only received positive feedback. The only thing that one customer missed in SonarQube was a way to see the code cohesion and coupling and I agree that it would be good to have.

If you don’t have a static code analysis tool today, I really recommend you to start right away SonarQube. If you know a better tool, please drop me a message on LinkedIn.

Good luck with your improved development!

Best regards,

Mikael Johansson, CEO at Wolfberry