The tool our company had, however, was poorly supported with an unclear process for adoption and usage. The UI was hard to navigate and it didn’t support all of the languages that we used – as a result, almost no one used it and the people who did<\/em> struggle to work with it got little value from it.<\/p>\n The worst thing you can do in governance<\/a> is say you’ll enforce something (especially bad if this is an enforcement promised to an\u00a0external <\/em>authority, like an auditor) and then implement that decision with an onerous tool that everyone hates that doesn’t solve the real issue – and then, for funsies, support that tool poorly and don’t really explain how to use<\/em> it in day to day processes.<\/p>\n Note: We got zero dollars or…anything, actually, for this post. We just saw how much the nerds we love, loved SonarQube – and some of the reasons why were interesting from a culture nerd perspective. If the SonarQube people wanted<\/em> to give us some money for this post, we’d probably be just fine with that. We also accept swag as payment!<\/span><\/p>\n The best parts of SonarQube, from a developer’s perspective:<\/p>\n It’s clear to users that value is delivered quickly and clearly.<\/p>\n It also has a nifty dashboard for each artifact scanned that tells people bugs, vulnerabilities, code smells (hey, you coded this silly, please fix?), and unit testing coverage. It makes a\u00a0game\u00a0<\/em>out of code quality – it makes it\u00a0an interesting, measurable\u00a0challenge<\/strong>.<\/p>\n Gamification helps to clarify purpose.<\/p><\/blockquote>\n Gamification reinforces the actions that move a person or team toward fulfilling their purpose.<\/p>\n Translation: gamification helps teams focus on what their purpose is<\/em>, and it also shows with clear feedback and metrics (scores!) if they’re successful<\/em> at fulfilling that purpose or not.\u00a0 In that way, gamification helps to\u00a0clarify<\/strong>\u00a0purpose – it helps teams focus on what their purpose is<\/em>, and it shows with clear metrics (scores!) if they’re successful at fulfilling that purpose or not.\u00a0Gamification gives people clear\u00a0goals to attain, and\u00a0fast feedback on if they’re attaining them. <\/strong><\/p>\n In order for this to be successful, leadership has to make it clear that people shouldn’t be afraid<\/em> of missing those goals, of “losing” the game – but if they do that, people will try to hit those goals because…it’s\u00a0fun<\/em>. People will also try to hit the goals because they love what they do, and because hitting those goals, the\u00a0game<\/em> of it,\u00a0confirms that their actions fulfill their purpose – they know that\u00a0they’re doing something important<\/strong>.<\/p>\n There’s a whole world of tools out there that enterprises can purchase and use, and it requires a combination of\u00a0good tool<\/em> and also\u00a0good implementation<\/em> for them to be successful. Most of the time, the implementation is more important than the tool, but sometimes tools are\u00a0exceptionally bad\u00a0<\/em>(and no implementation can save them) or\u00a0exceptionally good\u00a0<\/em>(and the implementation is easy). SonarQube falls into that last category, and it was a blast to watch people get excited about a process that they previously hated.<\/p>\n","protected":false},"excerpt":{"rendered":" We’ve seen a lot of tool transitions across a large enterprise, and one of the coolest examples was changing the opinion of the company we worked for regarding source code analysis. We had a tool that was under-licensed, slow, ineffective, and largely ignored. At best, it was\u00a0a check box labeled “we’re definitely secure, you guys!” … <\/p>\nBad Tools, Bad Process, Bad Governance<\/h2>\n
Why SonarQube<\/h2>\n
\n
![\"\"](\"https:\/\/soul-repairs.com\/blog\/wp-content\/uploads\/2019\/01\/clean-code-300x194.png\")
<\/a>The Game of it All<\/h3>\n
Thanks SonarQube!<\/h2>\n