GitLab CI template for SonarQube
This project implements a generic GitLab CI template for running SonarQube analysis.
SonarQube is a Code Quality and Security tool that helps you analyse your source code and detect quality issues or security vulnerabilities as early as possible.
In order to include this template in your project, add the following to your
include: - project: 'to-be-continuous/sonar' ref: '2.0.1' file: '/templates/gitlab-ci-sonar.yml'
SonarQube analysis job
This job performs a SonarQube analysis of your code.
It is bound to the
test stage, and uses the following variables:
||The Docker image used to run sonar-scanner||
||SonarQube server url||none (disabled)|
||SonarQube authentication token (depends on your authentication method)||none|
||SonarQube login (depends on your authentication method)||none|
||SonarQube password (depends on your authentication method)||none|
||SonarQube analysis arguments||
||GitLab access token with
||Extra arguments to use with Sonar GitLab plugin||
||When set to
Automatic Branch Analysis & Pull Request Analysis
Those is a great SonarQube features but it assumes one of the following conditions:
- you are using a Developer Edition version,
- or you are using Community Edition with an opensource plugin emulating those features, such as sonarqube-community-branch-plugin.
If you're not in one of those cases, then you shall disable this feature by setting
If you leave the feature enabled, if
SONAR_AUTH_TOKEN is provided, the template will try to autodetect (using GitLab APIs) an opened merge request matching the current branch:
- If one is found, a SonarQube Pull Request Analysis will be made.
- Otherwise, a simple Branch Analysis is performed on the current branch.
About Sonar GitLab plugin
The Sonar GitLab plugin uses the GitLab APIs to inline comments into your commits directly in GitLab for each new anomaly.
As explained above, this template automatically enables the Sonar GitLab plugin if
SONAR_GITLAB_TOKEN is set.
It will then simply append the
SONAR_GITLAB_ARGS (overridable) to the SonarQube analysis arguments.
Comments added to GitLab will appear as owned by the user associated to the GitLab access token.
How should I configure other SonarQube arguments ?
This template is actually tested and validated on GitLab Community Edition instance version 13.12.11