SonarQube & Static Analysis Vocabulary
5 exercises — master the language of SonarQube and static code analysis: quality gates, issue types, severity levels, debt ratio, and remediation communication.
0 / 5 completed
1 / 5
A developer pushes code and receives a CI notification: "Quality gate failed. New code coverage is 61%, below the required 80%. 3 new code smells, 1 new bug, 0 new vulnerabilities." What does each term mean, and what must the developer do before merging?
SonarQube classifies all findings into three issue types, and the quality gate is an automated policy that blocks delivery when thresholds are exceeded.
The three SonarQube issue types:
Quality gate — how it works:
A quality gate is a set of conditions configured by the team (e.g. "new coverage ≥ 80%, zero new bugs, zero new vulnerabilities"). If any condition is not met, the gate fails and the PR is blocked until resolved.
Responding to a quality gate failure:
① Check the SonarQube report — prioritise fixing bugs and vulnerabilities first (reliability and security)
② Write tests to reach the coverage threshold on new code
③ For code smells: either fix them or raise a technical debt item (some teams allow justified exceptions)
④ Re-push to trigger a new scan — the gate will pass when all conditions are met
Key vocabulary:
• Quality gate — an automated pass/fail policy that blocks merging when SonarQube thresholds are violated
• Quality gate failed — one or more conditions are not met; merge is blocked
• Bug — a reliability issue: code that will behave incorrectly at runtime
• Vulnerability — a security issue: code that could be exploited
• Code smell — a maintainability issue: code that works but makes future changes harder
The three SonarQube issue types:
| Issue type | Quality dimension | Example |
|---|---|---|
| Bug | Reliability — code that will misbehave | Null pointer dereference, resource leak |
| Vulnerability | Security — code that can be exploited | SQL injection, hardcoded credential |
| Code smell | Maintainability — code that works but is hard to change | Overly complex function, duplicated code |
Quality gate — how it works:
A quality gate is a set of conditions configured by the team (e.g. "new coverage ≥ 80%, zero new bugs, zero new vulnerabilities"). If any condition is not met, the gate fails and the PR is blocked until resolved.
Responding to a quality gate failure:
① Check the SonarQube report — prioritise fixing bugs and vulnerabilities first (reliability and security)
② Write tests to reach the coverage threshold on new code
③ For code smells: either fix them or raise a technical debt item (some teams allow justified exceptions)
④ Re-push to trigger a new scan — the gate will pass when all conditions are met
Key vocabulary:
• Quality gate — an automated pass/fail policy that blocks merging when SonarQube thresholds are violated
• Quality gate failed — one or more conditions are not met; merge is blocked
• Bug — a reliability issue: code that will behave incorrectly at runtime
• Vulnerability — a security issue: code that could be exploited
• Code smell — a maintainability issue: code that works but makes future changes harder