Utility / Practicality of Enabling Mono-Repo Support for This Use-Case

sonar_qube_analyst · August 14, 2024, 5:55pm

I have been doing a bunch of work on SonarQube Enterprise Edition
Version 9.9. My current project contains around 100k lines of code to be analyzed. It contains a variety of languages (Java, Python, Terraform, etc.). There are a number of Java micro-services that each require a separate build (20+ individually built micro-services).

The Python code, on the other hand, can all be built at the same time.

In GitHub actions, I have a workflow that runs on every PR open, modification, and merge. It successfully analyzes changed Python scripts, changed Java micro-services, and changed Terraform and passes it to one singular PR scan step. Right now, we only build these micro-services / scripts when they are changed. We keep everything neat and tidy under one project in SonarQube with one PR decoration representing all the changed code analysis.

My question today is:

How would enabling mono-repo support improve our setup if we were to enable it?

How would the maintainability / simplicity of the setup be affected if now we have 20+ separate projects (and their respective keys / secrets / GitHub PR decoration bots) in SonarQube to maintain – I am assuming (please correct me if I am wrong) this is what would happen if we went the mono-repo route?

I am almost leaning toward not enabling the mono-repo setting and sticking with our current setup (of keeping everything under one roof) for right now because of this.

Bachri_Abdel · August 15, 2024, 12:33pm

As I understand it, the mono repo function in sonar allows several analysis projects to decorate the same repository. So you can see more precisely which “component” has a failed quality gate.

Dividing your sonarqube project into several analyses will enable you to apply different gates, such as requiring more unit test coverage on a particular microservice. You’ll be able to configure each project in a more specific way.

Of course, this requires some effort in terms of project naming, keys and authorization management. For authorizations, you can use the same token as long as the account is authorized on the projects.

Finally, you may have an impact on the detection of code duplication.

sonar_qube_analyst · August 15, 2024, 8:52pm

Thank you for the response! That all makes sense and is very helpful!

sonar_qube_analyst · August 15, 2024, 8:53pm

** Bumping post requesting an official SonarQube response if possible. **

sonar_qube_analyst · August 20, 2024, 5:50pm

** Bumping post requesting an official SonarQube response if possible. **

Colin · August 21, 2024, 1:57pm

Hey @sonar_qube_analyst

Please don’t bump posts like this or ask specifically for a response from a SonarSourcer. If you have follow-up questions or something is still unclear, just ask your questions. @Bachri_Abdel might know the answer, or somebody else.

Need a direct line to SonarSource? Look at commercial support.