One main feature of high-quality code is functional correctness. For many companies, it is even part of their compliance rules and policies: Only if software is fully functional, it can meet your organization’s quality and security standards.
Both code quality and security should be checked continuously to detect issues as early as possible. This prevents you from tedious and time-consuming bug hunting, if after having finished your software development, some unexpected behavior occurs. Continuous Integration (CI) describes a development process that puts this principle into practice: Team members integrate their contributions frequently into a single branch, the main line. Before each integration, the changes are verified through builds and automated testing and thereby, their quality and security are assured.
SAP Continuous Integration and Delivery is a service on SAP Business Technology Platform that helps you implement continuous integration in your own development. It offers predefined pipelines for SAP-specific scenarios that, with each commit, build, test, and deploy your code changes. With its new Compliance stage, you can add an optional SonarQube scan to your development pipeline.
SonarQube is a tool for Static Application Security Testing (SAST), which inspects an application’s source code to detect code quality issues. It evaluates your code against a set of rules, the so-called quality profiles, and suggests fixes for the issues found. You can either use the global default quality profiles or configure your own according to your corporate needs. You can also configure quality gates by selecting metrics for your own code quality and security conditions and setting the pass/fail threshold. SonarQube comes in a cloud-hosted version called SonarCloud as well as a self-hosted on-premise version, which are both supported by SAP Continuous Integration and Delivery. Depending on your use case, you can choose between different SonarQube editions – get the one that fits you best and integrate it into your SAP Continuous Integration and Delivery pipeline.
With the continuous integration and delivery service and its new Compliance stage, you can continuously evaluate your code’s quality and ensure your applications’ software compliance. Discover code issues earlier in the development process than ever before – as we all know: The earlier a problem is discovered, the less expensive it is to fix.
Are you interested? In my next blog post, I will explain how exactly to integrate SonarQube scans into your development pipeline.