Introduce SonarQube

Create a new SonarQube project

In my case you would need to order this internally via devops self-service.

Create ADO pipeline to run SonarQube

SonarQube advices to run the prepare step before you build the application. In this case for a java application, this was not necessary, though for some .net application this might be mandatory.

      - job: SonarQubeAnalysis
        workspace:
          clean: resources
        displayName: "SonarQube Analysis"
        dependsOn: BuildTest
        steps:
          - task: DownloadPipelineArtifact@2
            displayName: 'Download Pipeline Artifact'
            inputs:
              artifact: artifactForSQ
              targetPath: '$(Pipeline.Workspace)/s'
          - task: SonarQubePrepare@5
            displayName: 'Prepare SonarQube'
            inputs:
              SonarQube: 'service-connection'
              scannerMode: 'CLI'
              configMode: 'manual'
              cliProjectKey: sonarQubeprojectkey
              extraProperties: |
                sonar.coverage.exclusions=**/test/**
                sonar.java.binaries=target/
                sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
                sonar.exclusions=src/main/resources/sql/**
          - task: SonarQubeAnalyze@5
            displayName: 'Analyze SonarQube'
          - task: SonarQubePublish@5
            displayName: 'Publish SonarQube'
            inputs:
              pollingTimeoutSec: '300'

Setup sonarQube to decorate PR with comments

Define the this pipeline as Build Validation step

After the first run (SonarQube needs to report back to ADO first) you should be able to set a Status Check on SonarQube quality gate: This will make sure that the PRs need to pass the qualitygate defined on sonarQube. You can also define this BuildValidation is optional.