Interview › Security & DevSecOps
How does SonarQube measure code coverage, and does it run your tests? [Basic]
Answer
SonarQube measures code coverage by importing coverage reports generated by test tools. It does not normally run the tests itself; the CI pipeline runs tests and passes reports such as JaCoCo, LCOV, coverage.py, or Cobertura into SonarQube.
Technical explanation
Coverage reflects which lines or branches were exercised by tests, depending on the language and report format.
A missing or misconfigured report can show zero coverage even if tests ran successfully.
Coverage should be used with judgment because high coverage does not prove strong assertions or complete security testing.
Hands-on example
Java example: run mvn test jacoco:report, then run sonar-scanner or mvn sonar:sonar with sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml. The PR gate checks new-code coverage based on that imported report.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]