Open in app

Sign in

Write

Sign in

SONARQUBE TOOL INTEGRATION WITH THE GITLAB CI/CD PIPELINE

Sarvjeet Jain
5 min readMar 10, 2022

WELCOME

Security is always excessive until it’s not enough.

If you are looking that “How we can integrate the Sonarqube Security tool with our GitLab CI/CD Pipeline” than yes you are in the right place.

Before going deep dive into the practical part, let’s first understand “What actually the Sonarqube is?”

SONARQUBE:

SonarQube is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time. Everything from minor styling choices, to design errors are inspected and evaluated by SonarQube. This provides users with a rich searchable history of the code to analyze where the code is messing up and determine whether or not it is styling issues, code defeats, code duplication, lack of test coverage, or excessively complex code. The software will analyze source code from different aspects and drills down the code layer by layer, moving module level down to the class level, with each level producing metric values and statistics that should reveal problematic areas in the source code that needs improvement.

Sonarqube also ensures code reliability, Application security, and reduces technical debt by making your code base clean and maintainable. Sonarqube also provides support for 27 different languages, including C, C++, Java, Javascript, PHP, GO, Python, and much more. SonarQube also provides Ci/CD integration, and gives feedback during code review with branch analysis and pull request decoration.

WHY SONARQUBE?:

So why not just existing and proven tools and configure them in the CI server ourselves? Well for SonarQube there are a lot of benefits:

  • CI tools do not have a plugin which would make all of these tools work easily together,
  • CI tools do not have plugins to provide nice drill-down features that SonarQube has,
  • CI Plugins does not talk about overall compliance value,
  • CI plugins do not provide managerial perspective,
  • There is no CI plugin for Design or Architectural issues,
  • CI plugins do not provide a dashboard for overall project quality,

So this all are the benefits that Sonarqube provide us…

FEATURE OF SONARQUBE:-

  • Doesn’t just show you what’s wrong, but also offers quality and management tools to actively helps you correct issues,
  • Focuses on more than just bugs and complexity and offers more features to help the programmers write code, such as coding rules, test coverage, de-duplications, API documentation, and code complexity all within a dashboard,
  • Gives a moment-in-time snapshot of your code quality today, as well as trends of past and potentially future quality indicators. Also provides metrics to help you make the right decisions.

Now it’s time to move to the Practical part..

INTEGRATION WITH THE CI/CD GITLAB PIPELINE:-

As we know that GitLab pipelines works on Stages or Jobs, So we have to add one more stage in our “.gitlab-ci.yml” file. Add the below stage to your Pipeline to integrate the Sonarqube.

Add it after the Deploy stage

sonarqube: 
   stage: sonarqube 
   image:  
     name: sonarsource/sonar-scanner-cli:latest 
     entrypoint: [""] 
   variables:
# Defines the location of the analysis task cache
       SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"# Tells git to fetch all the branches of the project, required by the analysis task
       GIT_DEPTH: "0"   cache: 
       key: "${CI_JOB_NAME}" 
       paths: 
         - .sonar/cache 
   script:  
     - sonar-scanner -Dsonar.projectKey=XXXXXXXXXXXXXX -    Dsonar.sources=. -Dsonar.host.url=http://XX.XX.XX.XX:PORT-Dsonar.login=e2XXXX8361fXXXXf37326XXXX32998b1bbad 
   allow_failure: true 
   only: 
     - dev # or the name of your main branch

Here we are using the image:- “sonarsource/sonar-scanner-cli:latest” which gives us the sonar-scanner.

The Variables CI_PROJECT_DIR, CI_JOB_NAME is pre-defined variables, that GitLab automatically finds.

Here you just need to change the Script command. You have to add the values of this fields Dsonar.projectKey, Dsonar.host.url, Dsonar.login as per your project details. Now the problem is from where we find this values?

Don’t panic buddy, here is the answer:-

Follow this steps:-

1- Dsonar.host.url:- Add the url where your Sonarqube is running, with the port number.

2- When you Login inside your Sonarqube using the admin user, there you have to Generate one token for your project, when you generate it, you will get all this details or full above command to run in the script for the integration.

3- And if you already added the other project before with Sonarqube, then simply add the new project and get all the details.

4- Dsonar.projectKey:- It’s just a name of your Project that you added in Sonarqube.

5- Dsonar.login:- It will generate by the Sonarqube, when you generate the token for your project.

Finally, all setup done. You just need to build your Pipeline now, and if there will no other issue, than you can see your Project details in Sonarqube Dashboard after the job succeed.

THANK YOU SO MUCH FOR READING THIS ARTICLE. AND FOR MORE SUCH TYPE OF ARTICLE STAY CONNECTED :):):)

Linkdin Profile:-

Sarvjeet Jain - Arth Learner - ARTH - The School of Technologies | LinkedIn

✔ "The purpose of life is not to be happy. It is to be useful, to be honorable, to be compassionate, to have it make…

www.linkedin.com

Sonarqube
Gitlab
Security
Integration
Pipeline

--

--

Sarvjeet Jain

Written by Sarvjeet Jain

21 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams