PHPUnit Code Coverage and SonarQube

Sunday, February 23, 2020 • 3 minutes to read

SonarQube is a wonderful tool for static code analysis and code review. Of course, it is not an all in one tool which replaces all other tools used in code review toolchain. SonarQube has a whole section dedicated to code coverage, but it analyzes code coverage, not run any tests.

How to generate code coverage using PHPUnit & Xdebug?

For PHP applications, an industry-standard to run unit tests and generate code coverage reports is the PHPUnit suite. With a rather short configuration or almost nothing, you could run unit tests against your code. To generate code coverage, you would need an engine capable of doing it.

Here we would use yet another industry-standard solution. Xdebug is a debugger and profiler but also would provide code coverage for PHPUnit. It is an external module, and it is very likely that it is not distributed along with your PHP installation.

For Linux powered machines, you would need to install a proper package. For distributions based on Red Hat, the following command would be enough. Depending on available package manager use sudo dnf install php-pecl-xdebug or sudo yum install php-pecl-xdebug.

For Windows machines, you would need to download a package and save a DLL in some patch from where PHP would have access to. Additionally, you would need to add a line with a proper path to the php.ini file to load the module.


Now we are ready to run tests and generate code coverage for them. You could add a switch to the command line to generate coverage in text, HTML, or any other supported format. What we need we would cover in the next section.

How to make SonarQube PHP plugin to work with PHPUnit?

SonarQube requires two reports. Clover XML-format coverage report for code coverage analysis and JUnit XML-format tests log for tests’ execution analysis.

As mentioned in the previous section, we could use command switches to enable those reports. However, we should always consider keeping any such changes as much as possible user error-free. That is why we would add it phpunit.xml file. In case you already have a logging section extend it. Otherwise, a full section is needed.

    <log type="coverage-clover" target="coverage-report.xml"/>
    <log type="junit" target="tests-report.xml"/>

File names, which I use, are just an example. You could save it in a subfolder, or using other names. Remember to ignore them in your version control system configuration.

The last thing we need to do is to add references to those two files to SonarQube configuration for our project. We need following new entries in file. The coverage.reportPaths is responsible for code coverage, and tests.reportPaths for tests’ execution report.


As usual, SonarQube accepts multiple coverage files or tests’ execution logs separated using a comma.

Now we are ready to run PHPUnit to generate reports and SonarQube scanner to scan and analyze them. Everything to improve our code quality and security.

devopsdevelopmentcode reviewcode coveragephpunitsonarqubephpcontinuous integrationhow to
See Also
This site uses cookies to analyze traffic and for ads measurement purposes according to your browser settings. Access to those cookies is shared with Google to generate usage statistics and detect and address abuse. Learn more about how we use cookies.