Deploy SonarQube Community Edition on Ubuntu to scan code for bugs, vulnerabilities, and technical debt across 30+ languages with CI/CD integration.
vm.max_map_count kernel parameter set to 262144. The install script configures this automatically.Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/dev/sonarqube/sonarqube-ubuntu.sh
chmod +x sonarqube-ubuntu.sh
sudo bash sonarqube-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/dev/sonarqube/sonarqube-ubuntu.shchmod +x sonarqube-ubuntu.shThe script installs Docker if needed, then sets up the service automatically.
sudo bash sonarqube-ubuntu.shOpen your browser and navigate to:
http://<your-server-ip>:9000Log in with the default credentials, change your password, generate a project token, then run sonar-scanner against your codebase.
# Default credentials: admin / admin
# Change immediately after first login
# Generate a project token at: My Account → Security → Generate Token
sonar-scanner \
-Dsonar.projectKey=my-project \
-Dsonar.sources=. \
-Dsonar.host.url=http://<your-server-ip>:9000 \
-Dsonar.token=YOUR_TOKEN| Port | Purpose |
|---|---|
| 9000 | SonarQube Web UI & API |
| 5432 | PostgreSQL (internal) |
SonarQube is the leading open-source platform for continuous code quality and security inspection. It statically analyses your source code to detect bugs before they reach production, highlight code smells that slow your team down, and surface security vulnerabilities (OWASP Top 10, CWE) before they become incidents. The Community Edition supports 30+ programming languages and integrates natively with CI/CD pipelines via Jenkins, GitHub Actions, GitLab CI, and Woodpecker. Teams that adopt SonarQube early reduce post-release defect rates by shifting quality left — catching issues in the development loop, not in QA.
SonarQube gives you a permanent, searchable record of your codebase's health across every commit. Unlike a linter that shows per-file warnings, SonarQube trends quality over time, sets quality gates (pass/fail criteria), and blocks broken code from being merged. For security-conscious teams, its SAST engine detects injection flaws, broken authentication, and sensitive data exposure patterns across all supported languages — without running the code.
SonarQube uses port 9000 for its web interface and API. This port should never be exposed directly to the internet — proxy it through Nginx Proxy Manager with a valid TLS certificate. The embedded Elasticsearch engine requires the kernel parameter vm.max_map_count=262144 — the install script sets this automatically via /etc/sysctl.conf. PostgreSQL runs on the default port 5432 internally and should only be accessible within the Docker network.
Semgrep (free, faster, no server needed — excellent for SAST in CI without a dashboard), CodeClimate (cloud SaaS, simpler setup), Snyk (security-focused, integrates with GitHub), Checkmarx (enterprise SAST). SonarQube is the best self-hosted option when you need persistent trend data, quality gates, and multi-language support in one dashboard.
Skip SonarQube if your server has less than 2 GB RAM — it will crash and frustrate your team. Also avoid it for tiny single-developer projects where a linter (ESLint, Pylint, Rubocop) is sufficient. If you only need dependency vulnerability scanning (not code quality), Trivy or Snyk are lighter alternatives that need no server.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Yes. SonarQube Community Edition is completely free and open-source under the LGPL licence. The Developer, Enterprise, and Data Center editions add branch analysis, pull request decoration, and scaling features for larger teams, but Community Edition covers all core quality and security scanning for most use cases.
A code smell is a maintainability issue — code that works today but is confusing, overly complex, or fragile. Examples include functions with too many parameters, deeply nested conditions, duplicated code blocks, and unused variables. SonarQube estimates the time (in minutes) required to fix each code smell, letting you track and pay down technical debt systematically.
Community Edition supports Java, JavaScript, TypeScript, Python, PHP, C#, C/C++, Go, Ruby, Kotlin, Scala, Swift, HTML, CSS, XML, and more — over 30 languages in total. Branch analysis (scanning feature branches separately) requires the paid Developer Edition.
Generate a project token in SonarQube, add it as a CI secret, then add a step that runs sonar-scanner with -Dsonar.host.url and -Dsonar.token parameters. For GitHub Actions, use the official SonarSource/sonarqube-scan-action. For Woodpecker CI, add a sonar-scanner step in your .woodpecker.yml pipeline definition.
SonarLint is a free IDE plugin (VS Code, IntelliJ, Eclipse) that shows SonarQube findings in real time as you type — before you even commit. It can connect to your SonarQube server (Connected Mode) to apply the same rules your team uses. It dramatically reduces the number of issues that reach CI by catching them at the keyboard.
In the SonarQube UI, open the issue, click 'Won't Fix' or 'False Positive', and add a justification comment. This persists across future scans so the issue is not re-reported. For code-level suppression, use the @SuppressWarnings annotation in Java or a // NOSONAR comment in any language — but use these sparingly to avoid hiding real issues.
A Quality Gate is a set of pass/fail conditions applied to each analysis — for example 'no new critical issues', 'new code coverage ≥ 80%', or 'new duplications < 3%'. Create one at Administration → Quality Gates, set your conditions, then assign it to your project. Failed Quality Gates can block CI pipelines from proceeding, enforcing team standards automatically.
SonarQube Community Edition does not natively scan Dockerfiles or Terraform/Ansible files for infrastructure security — use Trivy (containers) or Checkov (IaC) for those. However, SonarQube will scan the application code inside your repo, including any embedded shell scripts. The Developer Edition adds CloudFormation and Kubernetes manifest scanning.