Skip to main content

Testing - Static Code Analysis

Ensono Stacks projects use SonarQube for static analysis.

To enable integrations with GitHub and for use in Azure DevOps CI, the results are then hosted and viewable on SonarCloud.

SonarCloud offers quality gates that ensure that your standards are adhered to before deploying.

SonarCloud supports most languages.

Getting started

Sign up with GitHub to Sonarcloud for the Organisation under test. Review the documentation and setup on how to plugin to GitHub.

Using Jest with SonarCloud

SonarCloud collects the coverage reports generated by Jest in the form of output. Configuration in the jest.config.json file will include the following for code coverage collection.


To ensure that the reports with relative paths the root "roots": ["<rootDir>/."] needs to be set. Else then the lcov report will embed the root directory in the path, and sonar scanner won't be able to map the coverage to the analysed files.

"roots": ["<rootDir>/."],
"coverageReporters": ["cobertura", "lcov"],
"collectCoverage": true,
"collectCoverageFrom": [
"coverageDirectory": "<rootDir>/coverage/",
"coverageThreshold": {
"global": {
"statements": 1,
"branches": 1,
"functions": 1,
"lines": 1

The coverage directory will be where the lcov reports are generated.

Configuring SonarCloud

At the root of the package, a configuration file can be created, to pull in the required SonarCloud environment variables, including SonarCloud token, project name, where to collect the code coverage report from, and what files should be excluded from analysis.

For all configuration options see SonarCloud Analysis Parameters.

To pull in the Jest generated code coverage reports, outputted in the SonarCloud supported report, the report path can be set in the file:


To ensure that SonarCloud doesn't analysis files that are not needed for analysis, please exclude them:

sonar.exclusions=node_modules/**/*, dist/**/*, coverage/**/*, **/*.test.*, *.config.{js,json}, __tests__/**/*, __mocks__/**/*, ./.*, *.xml, **/*.d.*, **/*.js


We can run this with Ensono Stacks custom container, supports running Sonar Scanner for .NET and NPM projects.

See amidostacks/ci-sonarscanner for the open source image.

Static quality gates

To ensure that all code is meeting the quality standards (i.e. code coverage, bugs, security) then we can implement Quality gate checks from the results of the SonarScanner analysis.

Azure pipelines


The amidostacks/ci-sonarscanner does not fail the pipeline if the quality gate is not passed on SonarCloud. We recommend following one of these implementations:

Another option is to have a task running using the container, making static code analysis a breeze in the pipelines and easy to run locally. For an example on how to use the container to run you static code analysis, see amido/stacks-pipeline-templates

- bash: |
sonar-scanner -v
displayName: "Static Analysis: SonarScanner Run"
container: sonar_scanner
BUILD_NUMBER: $(Build.BuildNumber)
workingDirectory: ${{ parameters.workingDirectory }}

Running locally

In order to run, the export the followings environment variables for the SonarCloud Project:


First generate the code coverage results but running the unit tests, then run the SonarCloud scanner and push up the results for analysis.

npm run test
docker run -e SONAR_HOST_URL= -e SONAR_TOKEN=$SONAR_TOKEN -e SONAR_PROJECT_KEY=$SONAR_PROJECT_KEY -e SONAR_ORGANIZATION=$SONAR_ORGANIZATION -e BUILD_NUMBER=1.2.3 -v $(pwd):/usr/src --rm -it amidostacks/ci-sonarscanner /bin/
bash -c 'cd /usr/src && sonar-scanner'