How to Integrate Sonarqube Quality Gate with Gitlab CI/CD

Based on the feedback from development teams, we would like to integrate sonarqube and gitlab to present quality gate results of sonar analysis at gitlab pipeline to avoid missing any failed quality gates. At current integration scenario with sonarqube, our pipeline just publishes/previewes the source code and then designer needs to jump to sonarqube gui to see the results. Since this additional steps generally missed and as we observed several failed quality gate that no action taken to recover, this requirement raised.

Per initial investigation, I have figured out several options for this goal like implementing groovy scripts at gradle.properties, integrating third party open source plugins are some of these options…

Sonarqube offers many api options to cover many kind of request types. If you would like to take a look in details, here is the official api list : https://docs.sonarqube.org/display/SONARQUBE43/Web+Service+API

To get the quality gate results of sonar analysis we use quality gate api of the sonarqube. Basically your sonar host url plus sonar project token should be enough to get the status of the gate results.

When you try to reach above url from a browser, sonarqube will list all details including project quality gate like I highlighted above. The most important thing here is that you have api access authorization or not. In case if there is any entitlement service which being used for sonarqube access authorization, you have to contact with your administration team and request api call privileges for your account .

You can directly use this option for your pipeline as well and parse the results of the output of api call and then break your pipeline accordingly, this is an option for sure. Here is the sample powershell script to parse the results and move forward with pipeline accordingly.

$uri2 = "https://sonarqube.net/ApiByPass/api/qualitygates/project_status?projectKey=c21075d2-a2ae-49c7-91f8-c05bcd1f6f69"
$response2 = Invoke-RestMethod -Method Get -UseDefaultCredentials -ContentType application/json -Uri $uri2 -UserAgent "ExampleScript/1.0.0.0"
Write-Debug $response2
if($response2.projectStatus){
$projectStatus = $response2.projectStatus
Write-Host "Great, your status is $($projectStatus.status)"
}
else{
Write-Host "Unfortionaly, quality gate failed"
}

Even though above option is doable as well, to integrate quality gate with pipeline I have decided to use open source sonarqube plugin.This plugin have all required functionalities related with sonar api calls, also it has been used allready for our regular sonarqube analysis operation at our pipeline.

In our projects , we have been using gradle as a build tool that’s why to integrate this open source plugin with your pipeline, you have to add below plugin block to your gradle.properties file. As gradle will pull all plugin during build process, you should give the name of the plugin how you store it at artifactory. Since the name is org.sonarqube at our local jfrog artifactory,I have configured my gradle.properties like below. Please note that I do not go through end to end gradle set up since assuming your project is already ready to build via gradle.

plugins {
      id 'org.sonarqube' version '2.6.2'
}

Once the above gradle action completed, we can jump to gitlab-ci.yml file to configure sonarqube job.

https://docs.sonarqube.org/latest/instance-administration/security/
The most important thing here is authorization of your sonar user and you need to ensure that your user has BROWSE and EXECUTE privileges. Please take a look at details at below link.

As a next step, we need to define gitlab environment variables , here is the list of variables and details I have used.

Final sonarqube publish job code block from gitlab-ci.yml.

publish-sonar:
  stage: sonar
  only:
    - dev
  script:
    - sh gradlew sonarqube  
-Dsonar.host.url=$SONAR_HOST 
-Dsonar.login=$SONAR_TOKEN 
-Dsonar.projectName=${SONAR_AWS_PROJECT_NAME} 
-Dsonar.projectKey=${SONAR_AWS_PROJECT_KEY} 
-Dsonar.gitlab.user_token="$GITLAB_ACCESS_TOKEN" 
-Dsonar.gitlab.project_id=$CI_PROJECT_PATH 
-Dsonar.gitlab.commit_sha=$CI_COMMIT_SHA 
-Dsonar.gitlab.ref_name=$CI_COMMIT_REF_NAME 
-Dsonar.analysis.mode=publish
  cache:
    key: "${CI_PROJECT_NAME}_with_sonar"
    paths:
      - ${GRADLE_USER_HOME}
      - ${SONAR_USER_HOME}
  <<: *common_runner

We have completed all required steps to get quality gate. When we have run above job, after sonar publish operation completed, this job will trigger sonarqube and it will create and external Gitlab job that present the quality gate results and based on the results it will update the pipeline status as failed/success.

Please see the below screen shots to see the results of pipelines

In addition , you will see the all sonar analysis details when you create a merge request from your branch as seen below.

To wrap up, we have integrated sonar gitlab plugin with gitlab ci/cd and from now on the sonarquality gate results will automatically presented to developer to take action accordingly prior merging their codes to main branches.