Qodana is a code quality monitoring tool that identifies and suggests fixes for bugs, security vulnerabilities, duplications, and imperfections.

Table of Contents

• Qodana Scan
  • Usage
  • Configuration
  • Issue Tracker

Qodana Scan is an Azure Pipelines task packed inside the Qodana Azure Pipelines extension to scan your code with Qodana.

After you've installed Qodana Azure Pipelines extension to your organization, to configure the Qodana Scan task, edit your azure-pipelines.yml file:

# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
  - main

pool:
  vmImage: ubuntu-latest

steps:
  - task: Cache@2  # Not required, but Qodana will open projects with cache faster.
    inputs:
      key: '"$(Build.Repository.Name)" | "$(Build.SourceBranchName)" | "$(Build.SourceVersion)"'
      path: '$(Agent.TempDirectory)/qodana/cache'
      restoreKeys: |
        "$(Build.Repository.Name)" | "$(Build.SourceBranchName)"
        "$(Build.Repository.Name)"
  - task: QodanaScan@2024

Triggering this job depends on what type of repository you are using in Azure Pipelines.

The task can be run on any OS and x86_64/arm64 CPUs, but it requires the agent to have Docker installed. And since most of the Qodana Docker images are Linux-based, the docker daemon must be able to run Linux containers.

To make Qodana automatically fix found issues and push the changes to your repository, you need to

1. Choose what kind of fixes to apply

   • Specify fixesStrategy in the qodana.yaml file in your repository root
   • Or set the task args property with the quick-fix strategy to use: --apply-fixes or --cleanup

2. Set pushFixes property to

   • pull-request: create a new branch with fixes and create a pull request to the original branch
   • or branch: push fixes to the original branch

3. Set the correct permissions for the job. Go to Repositories → Manage repositories → Security. Choose Qodana for Azure Pipelines Build Service user. Allow:

   • Contribute
   • Bypass policies when pushing. Without this, the analysis will be performed twice
   • Create branch if you use pull-request value

   Also, set persistCredentials property to true. This is needed for pushing changes to the repository

Example configuration:

steps:
  - checkout: self
    fetchDepth: 0
    persistCredentials: true
  - task: QodanaScan@2024
    env:
      QODANA_TOKEN: $(QODANA_TOKEN)
    inputs:
      pushFixes: "branch"
      args: "--apply-fixes"

Note Qodana could automatically modify not only the code, but also the configuration in .idea: if you do not wish to push these changes, add .idea to your .gitignore file.

To send the results to Qodana Cloud, all you need to do is to specify the QODANA_TOKEN environment variable in the build configuration.

1. In the Azure Pipelines UI, create the QODANA_TOKEN secret variable and save the project token as its value.
2. In the Azure pipeline file, add QODANA_TOKEN variable to the env section of the QodanaScan task:

  - task: QodanaScan@2024
    env:
      QODANA_TOKEN: $(QODANA_TOKEN)

After the token is set for analysis, all Qodana Scan job results will be uploaded to your Qodana Cloud project.

To display Qodana report summary in Azure DevOps UI in 'Scans' tab, install Microsoft DevLabs’ SARIF SAST Scans Tab extension.

You probably won't need other options than args: all other options can be helpful if you are configuring multiple Qodana Scan jobs in one workflow.

All the issues, feature requests, and support related to the Qodana Azure Pipelines extension are handled on YouTrack.

If you'd like to file a new issue, please use the link YouTrack | New Issue.