SonarQube GitLab CI
Here are examples how to include SonarQube analysis to your GitLab CI pipeline.
You can find more detailed information and examples from the SonarQube documentation: https://docs.sonarsource.com/sonarqube-server/latest
After you have created a project in SonarQube, next step is setting up analysis method. From the front page of your project, you can choose either GitLab CI or other CI, basic process is the same. Generate a new token and save it for future use.
Define GitLab variables
Open project in the GitLab and go to Settings -> CI/CD -> Variables.
Add new variables:
- SONAR_TOKEN
- Check mask variable checkbox.
- Value: token you generated in the SonarQube project.
- SONAR_HOST_URL
Generic gitllab-ci.yml settings
- If you don't want failed SonarQube Quality Gate to fail your CI pipeline, set allow_failure: true
- Community version of SonarQube does not support branch analysis. You may wish to restrict branches which run the analysis with only-setting.
Javascript
1. Create .sonar-project.properties file to project root, including following lines:
sonar.projectKey=project_key you got when creating a project sonar.qualitygate.wait=true
Check other possible parameters from: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/
2. Add stage to .gitlab-ci.yml
sonarqube-check:
stage: test
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [ "" ]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner
allow_failure: false
only:
- merge_requests
- master
- main
- develop
Java
1. Add following settings to pom.xml
<properties> <sonar.projectKey>project_key you got when creating a project</sonar.projectKey> <sonar.projectName>Project name</sonar.projectName> <sonar.qualitygate.wait>true</sonar.qualitygate.wait> </properties>
2. Add stage to .gitlab-ci.yml
sonarqube-check:
stage: sonarqube-check
image: maven:3-eclipse-temurin-17
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- mvn verify sonar:sonar
allow_failure: false
only:
- merge_requests
- master
- main
- developPython
1. Create .sonar-project.properties file to project root, including following lines:
sonar.projectKey=project_key you got when creating a project sonar.qualitygate.wait=true sonar.python.version=3.12 (or what ever version you are using)
Check other possible parameters from: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/
2. Add stage to .gitlab-ci.yml
sonarqube-check:
stage: test
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
GIT_DEPTH: "0"
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- >
sonar-scanner
-Dsonar.host.url=${SONAR_HOST_URL}
-Dsonar.token=${SONAR_TOKEN}
allow_failure: falseCoverage with Python
If you wish to add coverage to your sonar reports, create coverage report before running sonarqube-check
1. Add coverage path to sonar-project.properties
sonar.python.coverage.reportPaths=coverage.xml
2. Run coverage check when running tests, before sonarqube-test in .gitlab-ci.yml. Example is for Django's tests. You have to install requirements before.
test:
script:
- coverage run ./manage.py test
- coverage combine
- coverage xml
artifacts:
expire_in: 1 day
paths:
- coverage.xml