Catch vulnerabilities before they ship: local SonarQube setup (Part 2)

Source: Dev.to

Introduction

Static Application Security Testing (SAST) is a crucial practice within the Software Security Development Life Cycle (SSDLC) that enables developers to identify security vulnerabilities early in the code development phase. While understanding the concepts of SAST is important, implementing it effectively in real‑world projects is what ensures robust and secure software delivery.

In this second part of our SAST series we focus on integrating SonarQube Cloud, a popular static analysis tool, into IntelliJ IDEA and running it with Docker. We will explore:

• SonarQube Cloud for SAST
• Local scanning with SonarQube Cloud via IntelliJ IDEA
• Local scanning using Docker Compose with the SonarQube image

Tools: SonarQube Cloud, Spring Boot, IntelliJ IDEA, Docker‑Compose

Prerequisite: Create a Spring Boot project using IntelliJ IDEA or the Spring Boot Initializr at .

SonarQube Cloud

SonarQube Cloud offers a hassle‑free way to start static code analysis without managing your own infrastructure. It provides cloud‑hosted scanning capabilities that analyze code quality, security vulnerabilities, bugs, and code smells.

1. Create an account – Visit SonarQube’s official website and sign up for a free or paid cloud account.
2. Create a new project – Provide your repository details.
3. Generate an authentication token – In My Account > Security generate a token and store it securely (e.g., GitHub Actions secret).
4. Configure project settings – Set Quality Gates, SLAs, and rules according to your security policy. Free accounts must use the default Quality Gate.

SonarQube Cloud then becomes the central place to view detailed security reports and code‑quality metrics.

SonarCloud

SonarCloud is a fully managed SaaS platform for continuous static code analysis, designed to detect code‑quality issues, security vulnerabilities, and maintainability risks across modern software projects. It supports 30+ programming languages, including Java, Python, C#, JavaScript, TypeScript, and Go.

Capabilities

• Cloud‑hosted and fully managed – No installation, hosting, or maintenance required. Ideal for teams without strict compliance constraints.
• Managed by SonarSource – Handles uptime, scaling, rule updates, language analyzers, and security patches.
• Deep static analysis – Detects bugs, CWE‑based and OWASP‑aligned security issues such as SQL injection, path traversal, input validation problems, hard‑coded secrets, and command injection.
• Code smells & cognitive complexity – Flags maintainability issues and measures how difficult code is to understand.
• Multi‑language support – Java, Python, JavaScript, TypeScript, Go, C#, Kotlin, PHP, Terraform, YAML, etc.
• Seamless CI/CD integration – Native integrations with GitHub Actions, Azure Pipelines, Bitbucket Pipelines, GitLab CI, and build‑tool plugins (e.g., Gradle Sonar plugin).
• Pull‑request and branch analysis – Inline analysis during PR reviews (not available on the free plan).

Quality Gates

A Quality Gate defines the rules code must satisfy before being merged. The default checks include:

• No new critical or blocker issues.
• Minimum code‑coverage threshold.
• No new bugs or security vulnerabilities.
• No new code duplications.

Custom Quality Gates are not supported on the free plan.

Dashboards & Notifications

• Centralized issue tracking, historical trend charts, hotspot security review, and coverage progress.
• Notifications via GitHub checks, GitLab merge requests, Slack, email, webhooks, and open APIs for custom extensions.

Installing and configuring the SonarQube plugin in IntelliJ IDEA

1. Install the plugin

   • Open IntelliJ IDEA → File > Settings > Plugins.
   • Search for SonarQube and install it. Restart the IDE.

2. Generate an authentication token

   • Go to the SonarCloud website → My Account > Security or directly visit .
   • Enter a token name and click Generate Token.

3. Configure the plugin

   • Click the SonarQube plugin icon → gear icon.
   • Add your SonarQube Cloud server URL and paste the generated token.

4. Add a connection

   • In the Connection section click + → enter a connection name → Next.
   • Paste the token (or create it from this window) → Next.
   • The IDE will verify the connection; a successful authentication message will appear.

5. Run a scan

   • Right‑click the project → SonarQube → Analyze All Project Files.
   • Results appear inline; the plugin highlights issues and provides links to detailed reports.

Benefits of local scanning

• Immediate feedback on security and quality issues.
• Reduces the likelihood of pushing vulnerable code.
• Saves time by fixing problems early in the development workflow.

Local scanning using Docker Compose with SonarQube image

If you prefer running SonarQube locally, Docker provides an easy setup that eliminates the need for complex installation.

Setting up SonarQube locally via Docker Compose

Create a docker-compose.yml file with the following content:

version: "3.9"

services:
  sonarqube:
    image: sonarqube:latest
    ports:
      - "9000:9000"
    environment:
      SONAR_ES_BOOTSTRAP_CHECKS_DISABLE: "true"
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions

volumes:
  sonarqube_data:
  sonarqube_extensions:

Place the following gradle-local.properties file in the root of your project (add it to .gitignore):

systemProp.sonar.qualitygate.wait=true
sonar.projectKey=sonarqube_action

Run the stack:

docker compose up -d

The SonarQube UI will be available at . You can now point your local scans (via the IntelliJ plugin or SonarScanner) to this instance.