Dynamics Community Forum Thread Details

Integrate sonarQube within dynamics 365 OnPremise

Hello everyone,

I am working on integrating SonarQube with our Dynamics 365 Customer Engagement (on-premise) development pipeline. The goal is to automatically enforce critical best practices for our customizations, specifically targeting:

Plugin best practices (e.g., avoiding infinite loops, using ITracingService correctly, implementing efficient data retrieval with ColumnSet).
Custom API and Custom Workflow Activity development patterns.
General .NET code quality that interacts with the Dataverse SDK.

While I have the basic SonarQube analysis working for C#, the out-of-the-box rules do not cover these platform-specific, mission-critical patterns.

Has anyone successfully implemented custom SonarQube rules specifically for Dynamics 365 CE development? I am seeking guidance on:

Targeted Rules: What were the most valuable D365-specific rules you created? (e.g., detecting plugins that don't retrieve the Target entity image, or that perform synchronous web service calls).
Technical Approach: Did you use the SonarQube Custom Rules Tutorial for .NET (using the Roslyn-based SDK) to write these checks? How complex was the process of analyzing the SDK-specific code (like IPluginExecutionContext)?
Plugin Registration: Beyond code analysis, did you find a way to integrate checks for plugin registration best practices (e.g., required images, run-in-user-context) into your CI/CD pipeline, or did you focus solely on the code itself?
Sharing Solutions: Is there a community project or repository where such custom rules are being shared? If not, would there be interest in starting one?

I believe this would be incredibly valuable for the entire D365 development community to improve the stability and performance of our customizations.

Any insights, code snippets, or experiences you can share would be greatly appreciated.

Thank you for your time and expertise.

Categories:

Microsoft Dynamics CRM

Technical Approach (SonarQube Custom Rules)

Yes, the path is via Roslyn analyzers → plug them into SonarQube.
You create a .NET Analyzer Project (VS template).
Use SyntaxWalker / SemanticModel to look for patterns in code.
Example: scanning for new ColumnSet(true) is straightforward because it’s just object creation with a bool literal.
More complex rules (like “plugin without checking context.Depth”) need semantic analysis of classes implementing IPlugin.
The complexity depends:
Simple rules (bad ColumnSet, missing try/catch, no tracing) → easy, hours of work.
Complex rules (ensuring correct PreImage usage, validating async vs sync calls) → harder, need deeper AST analysis.
Once packaged, you drop the analyzer into SonarQube as a custom plugin

Sugessted:

Start with 1–2 simple Roslyn analyzers (ColumnSet(true), context.Depth).
Wrap them into a NuGet package → integrate into your SonarQube instance.
For registration checks, write a PowerShell script to analyze exported solution/registration and fail the pipeline if rules are broken.
Consider publishing your analyzer project to GitHub and inviting contributions (I’d be happy to point you to Roslyn sample repos

Quick Links