Interview › Security & DevSecOps
What metrics does SonarQube track (coverage, duplication, code smells, bugs, vulnerabilities)? [Basic]
Answer
SonarQube tracks metrics such as coverage, duplicated lines, bugs, vulnerabilities, security hotspots, code smells, maintainability rating, reliability rating, security rating, complexity, and technical debt. These metrics drive dashboards and quality gates.
Technical explanation
Coverage is imported from test coverage tools; SonarQube analyzes and displays it but does not usually execute tests itself.
Bugs and vulnerabilities represent higher-confidence correctness or security issues, while code smells represent maintainability risks.
Duplication and complexity help identify areas that are harder to maintain and test.
Hands-on example
Example gate: new coverage >= 80 percent, duplicated lines on new code < 3 percent, zero new blocker bugs, zero new vulnerabilities, and all new security hotspots reviewed. A PR failing any condition must be fixed or explicitly reviewed before merge.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]