Integrate SonarQube to Android Studio Project

 

1️⃣ Go to SonarQube Dashboard

Example:

http://localhost:9000

Login with:

username: admin
password: admin


------------------------------------------------------------------------

2️⃣ Click Create Project
You’ll see multiple options.

Choose “Manually”.

You choose Manual because:
You want full control
You’ll connect it later via Gradle + CI/CD
Best for Android projects

--------------------------------------------------------------------------------

🔸 Fill Project Details
✅ Project Key → FinTrack
What it is
A unique ID for your project
Used internally by SonarQube
Used in Gradle command
Example:-Dsonar.projectKey=FinTrack
⚠️ Rules
Must be unique
No spaces
Cannot be changed easily later


📌 Think of it like applicationId in Android

✅ Display Name → FinTrack
What it is
Human-readable name
Shown in SonarQube UI
You can change this later safely.

🔐 PART 2: Generate Token (Very Important)

📌 What is a SonarQube Token?
A token is:
A secure authentication key
Replaces username + password
Used by:
Gradle
CI/CD pipelines
GitHub Actions
Jenkins
🔴 SonarQube does NOT allow password auth for scanners

-------------------------------------------------------------------------------------

🔜 Next Step (STEP 3)
👉 Configure SonarQube in Android (Gradle + Kotlin DSL)

I’ll show:
build.gradle.kts
Multi-module support
Compose + coverage
Quality Gate fail build

✅ What to do NOW (Step-by-step)

🔹 Click: Create a local project


This tells SonarQube:
“I will manually send analysis results using Gradle or CI.”

What happens AFTER clicking “Create a local project”
You will see another screen asking for:
1️⃣ Project details

Fill exactly like this:

Field
Value
Project key   
FinTrack
Display name
FinTrack

📌 Why this matters
Project key is used by Gradle & CI
Must match exactly later (sonar.projectKey)
Then click Next
2️⃣ Choose “Use the global setting”
When asked about:
How do you want to configure analysis?
Select:
Use the global setting
📌 Why?
Android projects don’t need custom server-side config
Gradle will control everything
Click Create project


3️⃣ Generate Token (MOST IMPORTANT)

You’ll now see Generate a token screen.
Do this:
Field
Example
Token name   
fintrack-local

Click Generate

⚠️ CRITICAL
Copy the token immediately
You will NOT see it again
--------------------------------------------------------------------

🔜 STEP 3: Connect Android (Gradle + Kotlin DSL)
We will:


Add SonarQube plugin


Configure build.gradle.kts


Run first scan


See issues in UI



Before we continue, tell me 👇
Answer one word:
Local → only run from Android Studio

CI → GitHub Actions / Jenkins from start
I’ll tailor the next step exactly to that choice.

Yes ✅ this setup is 100% correct 👍

You can safely proceed.
Let me quickly validate each field so you’re confident, and then tell you exactly what to do next.

✅ Field-by-field confirmation
🔹 Project display name → FinTrack
✔ Correct
This is just the UI name
You can rename it anytime later
No technical impact



🔹 Project key → FinTrack
✔ Correct and important
This is the unique identifier
You will use this in Gradle:
sonar.projectKey=FinTrack
Must stay consistent forever
📌 Tip: Using the same value as display name is totally fine.

----------------------------------------------------------------------------------------

🚀 STEP 3: Android SonarQube Integration (Correct Way)

You are using:



Android


Kotlin


Jetpack Compose


Gradle Kotlin DSL (.kts)


So follow this exactly.


1️⃣ Add SonarQube plugin (Root build.gradle.kts)

📁 Root-level build.gradle.kts (NOT app module)

plugins {
    id("org.sonarqube") version "5.0.0.4638"
}


If you already have plugins → just add this line


2️⃣ Configure SonarQube (Root build.gradle.kts)

Add below plugins:

sonarqube {
    properties {
        property("sonar.projectKey", "FinTrack")
        property("sonar.projectName", "FinTrack")
        property("sonar.host.url", "http://localhost:9000")
        property("sonar.login", System.getenv("SONAR_TOKEN"))

        // Android specifics
        property("sonar.sources", "src/main/java,src/main/kotlin")
        property("sonar.tests", "src/test/java,src/androidTest/java")
        property("sonar.java.binaries", "build/intermediates/javac")
    }
}

⚠️ DO NOT hardcode token here

We’ll pass it securely.


3️⃣ Add token safely (BEST PRACTICE)

Option A (Recommended): gradle.properties

📁 ~/.gradle/gradle.properties (global)

SONAR_TOKEN=sqp_2a36a10d0038b3a4e3473e90df9a7512c6556b

✔ Safe

✔ Not committed

✔ Works with CI later


❌ Do NOT do this

property("sonar.login", "sqp_...")

(never commit tokens)


4️⃣ Run SonarQube analysis (First scan)

From project root:

./gradlew sonar

⏳ First scan takes time (downloads analyzer)


✅ What SUCCESS looks like

Terminal ends with:
ANALYSIS SUCCESSFUL
Then:
Open SonarQube UI
Go to FinTrack
You’ll see:
Bugs
Vulnerabilities
Code Smells
Quality Gate status




🎉 Your Android app is now analyzed!