Hi all! We could use some advice on how to implement a fast, lean and mean pipeline using SonarCloud to act as quality gates for an Azure DevOps pipeline.
- ALM used: Azure DevOps
- CI system used: Azure DevOps
- Scanner command used: See excerpt below (but basically all of SonarCloudPrepare, SonarCloudAnalyze, SonarCloudPublish)
- Languages of the repository: asp.net core / C# / and of course yaml for Azure DevOps
- Other template items are not applicable
We’ve been using SonarCloud for some time now, and we’ve enforced some standard quality gates into the pipeline at Pull Request level. I.e. it’s not possible to merge to master without having at least a certain test coverage threshold, not having any smells etc. etc. and this all works great really.
The thing is that we want to reduce lead times of the pipeline, and relatively a lot of time is spent on compiling and running tests (entire pipeline only takes 4 minutes or so to complete, of which compiling/testing takes up about a minute, but does so twice). Also see the following representation of the pipeline, which hopefully doesn’t come as a surprise:
In our attempts to reduce lead time we came to the conclusion that compiling and testing twice, both on PR-level and then again on the master branch is effectively waste, and eliminating this can reduce our lead time by a whopping 25%. However we do not see how to make this work fluently with SonarCloud. As the PR compile+test produce reports compared to the master compile+test. Obviously we want the master to keep producing ‘baselines’ for PR’s to measure against.
Is it possible for SonarCloud to not do the whole analyzing twice, but storing the results and having a separate command or some such to finalize the analyses? Given the provided pipeline-flow, is it possible to have the PR-CI generate and analyze the results as usual, but have the Master CI reuse the analyses that’s already been done and simply mark it as SonarCloud’s new baseline to measure against? And therefore removing the need to compile and test the code twice?
Or otherwise in some better defined criteria:
- We need to run Sonar at PR-level latest, because we want to fail fast on static code analyses and not introduce unchecked items onto master.
- We need to have individual PR’s compared to the master branch, and the master branch only
- We need to be able to build and test once within the entire pipeline, and not redo this time consuming step.
Also below is a simple yaml excerpt that we use in our pipeline, with some irrelevant powershell-steps removed.
Any help/insight would be greatly appreciated!
- job: BuildandAnalyseSonarCloud
displayName: Build and Analyse in SonarCloud
- task: SonarCloudPrepare@1
displayName: ‘Prepare Analysis Configuration’
projectVersion: '(Build.BuildNumber)' extraProperties: | sonar.coverageReportPaths=(System.DefaultWorkingDirectory)/TestResults/SonarQube.xml
- task: DotNetCoreCLI@2
displayName: ‘Dotnet test’
- task: SonarCloudAnalyze@1
- task: SonarCloudPublish@1
- task: SonarCloudPrepare@1