How long will take to implement code quality tool such as SonarQube for a medium to large project on a high secure environment which include integration to CI/CD processes?
Sort by:
Not an easy answer given the complexity if the CI/CD pipeline and size of code base and number of projects to onboard are critical factor, my guess is no less than 8 weeks. Besides the technical complexity, there is a change management aspect to train and enable the dev teams to use the insights from the tool, adopt it, and obtain the expected results. This aspect could be tricky given it’s the human factor of any tool implementation
I threw the prompt to Gemini; it says 2-8 weeks, Chat GPT says 6-12 weeks.
I've been working with SDLC for 2+ decades I'd say "It depends...!"
- What are you hoping to achieve?
If you are trying to get an understanding of a code base you've never seen before, you can setup all kinds of static code analysis tools in just a few hours, that will help you get insights about, code smells, cyclomatic complexity, code coverage etc. You'll get a report to look at.
If you are trying to take the code base of an old legacy system, swamped in technical dept and forward it to a declarative Continuous Delivery pipeline with all the whistles-and-bells tools you can think of to help you build-quality-in, to a degree that allows you to deploy automatically into production - a one-piece-flow as if you were optimizing a factory floor at Toyota - it will take you years. So getting started is the most important step.
The problem usually is, that when you start using these static analysis tools on an existing code base where they haven't been introduced from the start, you'll have so many findings to begin with, that you can't possibly react to all of them at once, so you'll have to turn them on gradually.
You should see it as a lot of small steps in the right direction, eventually steering you towards your end goal.
The tools could be SonarQube or CodeScene, but there are also a host of specialized, language specific Open Source tools. Each community often has their own prefered stack - look into what is the de facto standard for your stack. You can get a lot of help from both the community and AI prompts by starting with the obvious.
...or reach out to me, I'd be happy to elaborate.
For a medium-to-large project in a highly secure environment, it typically takes 6–10 weeks to fully implement SonarQube, including CI/CD integration, provided there are no significant delays in approvals or unforeseen issues.
I kind of agree with the others especially with the 'it depends' response. It also depends on whether you want Sonarqube as part of a quality gate in your pipeline and do you want it to halt the flow or just give a warning and proceed, a decision you really should make up front.