Configure SonarAnalyzer.CSharp with .editorconfig, no need for SonarCloud or SonarQube

Our goal was to use SonarSource/SonarQube static code analysis with the most "minimal" install/configuration footprint.

We wanted the static code analysis to break/fail the build on the local developer machines as well as our CI/CD Azure DevOps environment if a rule was violated.

SonarSource products usually rely on some external source, SonarCloud/SonarQube to determine which rules to apply on the local dev machine, and to store the results. We wanted to eliminate these dependencies.

SonarSource also provides a Visual Studio extension called SonarLint to help check the static code analysis rules within the Visual Studio IDE without needing an external source for the rules.

The static code analysis rules SonarLint enforces are also defined in the SonarAnalyzer.CSharp nuget package. This nuget package is a set of Roslyn Code Analyzers.

In .NET Core, Roslyn Code Analyzers are triggered during a build if the nuget package is referenced by the project. Also in .NET Core, these analyzers can be configured in .editorconfig instead of ruleset files.


Given all that, to get SonarQube static code analysis to execute on local machine and Azure DevOps builds with the most minimal setup, just reference the SonarAnalyzer.CSharp nuget package in each of your projects and add an editorconfig file to the root of your project. You can configure rule severity in the editorconfig file by adding lines like this:


# S1075: URIs should not be hardcoded
dotnet_diagnostic.S1075.severity = error


Hope this helps,

Aaron


Thanks to this github issue for getting me to the finish line with the editorconfig file.

Comments

Popular posts from this blog

Search iPhone Text Messages with SQLite SQL Query

Use Azure Functions to Execute a SQL Azure Stored Procedure on a Timer

How to Turn Off Microsoft Arc Touch Mouse Scroll Sound Vibration