SonarQube & Snyk Integration Guide
🎯 What’s Been Added
The Airo super app now has integrated code quality and security scanning:
SonarQube
- ✅ Code quality analysis
- ✅ Bug detection
- ✅ Code smell identification
- ✅ Technical debt tracking
- ✅ Coverage reporting
- ✅ Quality gate checks
Snyk
- ✅ Dependency vulnerability scanning
- ✅ Security issue detection
- ✅ License compliance checking
- ✅ Automated fix suggestions
- ✅ Severity-based filtering
🚀 Quick Start
1. Create SonarCloud Account (5 minutes)
# Go to https://sonarcloud.io
# Sign up with GitHub
# Create organization
# Create project for 'airo' repository
# Generate token at https://sonarcloud.io/account/security
2. Create Snyk Account (5 minutes)
# Go to https://app.snyk.io
# Sign up with GitHub
# Add 'airo' repository
# Generate API token at https://app.snyk.io/account/api-token
3. Add GitHub Secrets (5 minutes)
# Go to https://github.com/DevelopersCoffee/airo/settings/secrets/actions
# Add SONAR_TOKEN
# Name: SONAR_TOKEN
# Value: [token from SonarCloud]
# Add SNYK_TOKEN
# Name: SNYK_TOKEN
# Value: [token from Snyk]
4. Test Integration (5 minutes)
# Push a commit to main
git push origin main
# Go to Actions tab
# Wait for CI workflow to complete
# Check SonarQube and Snyk results
📊 Viewing Results
SonarQube Dashboard
URL: https://sonarcloud.io/projects
View:
- Code quality metrics
- Bug count and details
- Code smells
- Test coverage
- Technical debt
- Quality gate status
Snyk Dashboard
URL: https://app.snyk.io/org/ucguy4u/
View:
- Vulnerability count
- Severity breakdown
- Dependency issues
- License compliance
- Remediation suggestions
🔧 Configuration Files
sonar-project.properties
Located at repository root. Configures:
- Project identification
- Source code location
- Dart/Flutter settings
- Exclusions
- Coverage paths
.snyk
Located at repository root. Configures:
- Severity threshold (high)
- Scan settings
- Exclusions
- License checking
📋 CI/CD Integration
SonarQube Job
Runs on every push to main/develop:
- Checks out code with full history
- Sets up Flutter
- Gets dependencies
- Runs Flutter analyze
- Scans with SonarQube
- Checks quality gate
Snyk Job
Runs on every push to main/develop:
- Checks out code
- Sets up Flutter
- Gets dependencies
- Scans with Snyk
- Reports vulnerabilities
- Uploads SARIF results
🎯 Workflow
Developer Push
↓
GitHub Actions Triggered
↓
├─ SonarQube Analysis
│ ├─ Code quality check
│ ├─ Bug detection
│ └─ Quality gate
│
└─ Snyk Security Scan
├─ Dependency scan
├─ Vulnerability check
└─ License compliance
↓
Results Available
↓
├─ SonarCloud Dashboard
└─ Snyk Dashboard
📈 Metrics Tracked
SonarQube Metrics
| Metric | Description |
|---|---|
| Bugs | Code issues that will cause problems |
| Code Smells | Code quality issues |
| Coverage | Test coverage percentage |
| Duplications | Duplicated code blocks |
| Technical Debt | Time to fix all issues |
| Security Hotspots | Potential security issues |
Snyk Metrics
| Metric | Description |
|---|---|
| Vulnerabilities | Known security issues |
| Severity | Critical/High/Medium/Low |
| Dependencies | Total dependencies |
| Outdated | Outdated packages |
| Licenses | License compliance |
🔐 Security Best Practices
Code Quality
- Fix Bugs First
- Address critical bugs
- Then major bugs
- Then minor bugs
- Reduce Code Smells
- Improve readability
- Reduce complexity
- Remove duplication
- Increase Coverage
- Target 80%+ coverage
- Test critical paths
- Add unit tests
Security
- Fix Vulnerabilities
- Critical: Immediately
- High: Within 1 week
- Medium: Within 2 weeks
- Low: Within 1 month
- Update Dependencies
- Regular updates
- Monitor advisories
- Use Snyk auto-fix
- License Compliance
- Check licenses
- Avoid incompatible licenses
- Document exceptions
🛠️ Troubleshooting
SonarQube
Issue: “SONAR_TOKEN not found”
- Solution: Add SONAR_TOKEN secret to GitHub
Issue: “Quality gate failed”
- Solution: Fix issues in SonarCloud dashboard
Issue: “No coverage data”
- Solution: Ensure tests run with coverage flag
Snyk
Issue: “SNYK_TOKEN not found”
- Solution: Add SNYK_TOKEN secret to GitHub
Issue: “Vulnerabilities detected”
- Solution: Review in Snyk dashboard and update dependencies
Issue: “License issues”
- Solution: Review licenses in Snyk dashboard
📞 Support
Documentation
- SonarCloud: https://docs.sonarcloud.io
- Snyk: https://docs.snyk.io
Dashboards
- SonarCloud: https://sonarcloud.io/projects
- Snyk: https://app.snyk.io/org/ucguy4u/
Help
- SonarCloud Community: https://community.sonarsource.com
- Snyk Support: https://support.snyk.io
✅ Verification Checklist
- SonarCloud account created
- Snyk account created
- SONAR_TOKEN secret added
- SNYK_TOKEN secret added
- First CI run completed
- SonarQube results visible
- Snyk results visible
- Quality gate passing
- Team notified
Status: ✅ Integration Complete Date: November 2, 2025 Next Step: Add secrets and test