Static Code Analysis w/JetBrains
Last updated
Was this helpful?
Last updated
Was this helpful?
In a recent I've made I showed how to Integrate Github Actions with SonarQube for static code analysis and now continuing with the fascinating world of code analysis it's time to do the same with one of it's competitors. This time I am going to show you up how to spin up a Docker lab with and run some static code analysis with (JetBrains static code analysis tool) from it, to the same repository we scanned last week which is
Disclaimer:
I'm assuming if you are reading this article you know what Docker is and know a bit of how to use it, case you don't please refer to
Below we have a docker-compose.yml where you have defined both the resources needed for the teamcity-agent and teamcity-server to be able to run on a Ubuntu Server with docker daemon installed. You just need to copy the code to a local docker-compose.yml file and run from the same folder:
Now you should go to your web browser and open the host ip address with port 8111 to start configuring the scans.
If you want to teardown the resources please remember to delete folder in /opt/buildagent and run the following command:
Why on a Ubuntu Server?
That's simply because one of the containers we are spawning for this exercise, the agent, which is the place where our tasks are going to be running, needs to spawn a container from itself to perform a scan, it would try to run Qodana as a docker container itself. That's why we mounting to it the docker daemon from our host (#README).
Once we have that synced, we can skip the automatic build step detect and manually add one called Qodana:
And inside that step we should set up values, such as the following:
Please note that we are using a custom linter there, because if you do not have a Qodana cloud license, that's the only way you can scan your code, with the community image.
As simple as that now we can run a scan to the codebase and see the results as the following:
Compared to the output we got from SonarQube we can tell that the analysis Qodana did was not as depth as Sonar's but yet it showcases the point for some code smells in python as the following:
By installing that set up you would have a running TeamCity instance and agent running in your local network, which can be more than fun to explore.
Thanks for reaching this far :)
Scanning your code with tools like or is crucial for maintaining a secure, high-quality, and efficient software development process. These tools go beyond simple error-checking, offering a comprehensive analysis of your codebase. By addressing issues related to code quality, security vulnerabilities and maintainability, developers can ensure that their applications not only meet industry standards but also perform optimally. Adapting these tools into your continuous integration pipeline enables automated code analysis with every commit, catching potential bugs early and streamlining the development workflow. Ultimately, the insights provided by these scanning tools empower development teams to produce software that is not only robust and secure but also easier to understand and maintain over time.
If you want to know more please read
There are other ways to add TeamCity agents to the console and if you want to know more about it please read about it.
We can add the project we want to scan from our repository URL, for that you can follow . The only thing we need is a token to access in this case GitHub with repo access.
Same as SonarQube, Qodana gives you the possibility to run scans directly from command line with a simple CLI tool, you can check it out
And it also gives you the possibility to (VCS) or even to open your JetBrains IDE if you have JetBrains toolbox installed in your computer so you can go directly and remediate the issues found.
I strongly recommend you to see video from channel which showcases some of its functionalities more deeply.