Interview › Security & DevSecOps
What is SonarQube, and what does it analyse? [Basic]
Answer
SonarQube is a static analysis and code quality platform. It analyzes code for bugs, vulnerabilities, security hotspots, code smells, duplication, coverage data, and maintainability/security ratings across many languages.
Technical explanation
SonarQube does not normally run the application; it analyzes source code and imports external reports such as coverage from test tools.
It supports quality gates so teams can enforce standards before merge or release.
It is often used as a developer feedback system, not just a security scanner, because it also tracks maintainability and technical debt.
Hands-on example
Hands-on: configure sonar-project.properties with sonar.projectKey, sonar.sources, sonar.tests, and coverage report paths. Run sonar-scanner in CI, publish the analysis to SonarQube, and block the merge if the quality gate fails on new-code bugs, vulnerabilities, coverage, or duplication.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]