Optimal Ruleset & Quality Gate RE: HIGH/CRIT/BLOCKER

Hi SonarQube Community:
Running ver
Codebase = Java & JavaScript

I am looking to strike a balance between knowing where issues exist and not slamming DEV (and yes apologies, I know this is asking quite a bit). My position is to turn on the most stringent rulesets available and know what all issues are at the HIGH/CRIT/BLOCKER levels AND have a Quality Gate that is also stringent. What would be the parameters to grade the codebase for Java/JavaScript to ensure any issues in bug/code smells/vulns are captured?

Note I am new to SQ… any suggestions are welcomed… thanks.


Welcome to the community!

What we actually recommend in this situation (in general, actually :slightly_smiling_face:) is the Clean as You Code methodology.

I’ve written a whole blog post about it, and there’s also a pretty overview. I won’t go into detail here (you can probably find plenty of pre-blog-post threads where I have if you want) but I will say to turn on all the rules. Go ahead and clean up what you feel you absolutely must. And then ignore the issues on old code unless you’re actively working in that code. Instead, be rigorously strict only on “New Code” (code that’s added or changed).

I know ignoring the old issues sounds like madness. Read the blog you’ll see that “If this is madness, yet there is method in’t”.