10.0 | DevOps platform integration | GitLab integration

On this page

GitLab integration

SonarQube's integration with GitLab self-managed and GitLab.com allows you to maintain code quality and security in your GitLab projects.

With this integration, you'll be able to:

  • Authenticate with GitLab: Sign in to SonarQube with your GitLab credentials.
  • Import your GitLab projects: Import your GitLab Projects into SonarQube to easily set up SonarQube projects.
  • Analyze projects with GitLab CI/CD: Integrate analysis into your build pipeline. Starting in Developer Edition, SonarScanners running in GitLab CI/CD jobs can automatically detect branches or merge requests being built so you don't need to specifically pass them as parameters to the scanner.
  • Report your quality gate status to your merge requests: (starting in Developer Edition) See your quality gate and code metric results right in GitLab so you know if it's safe to merge your changes.

Prerequisites

To integrate SonarQube with GitLab self-managed subscriptions, we recommend using GitLab version 15.6+.

Branch analysis

Community Edition doesn't support the analysis of multiple branches, so you can only analyze your main branch. Starting in Developer Edition, you can analyze multiple branches and merge requests.

Authenticating with GitLab

See Authenticating with GitLab for more details on your authentication settings in GitLab. 

Importing your GitLab projects into SonarQube

Setting up the import of GitLab projects into SonarQube allows you to easily create SonarQube projects from your GitLab projects. If you're using Developer Edition or above, this is also the first step in adding merge request decoration.

To set up the import of GitLab projects:

  1. Set your global settings
  2. Add a personal access token for importing repositories

Setting your global settings

To import your GitLab projects into SonarQube, you need to first set your global SonarQube settings. Navigate to Administration > Configuration > General Settings > DevOps Platform Integrations, select the GitLab tab, and specify the following settings:

  • Configuration Name (Enterprise and Data Center Edition only): The name used to identify your GitLab configuration at the project level. Use something succinct and easily recognizable.
  • GitLab URL: The GitLab API URL.
  • Personal Access Token: A GitLab user account is used to decorate Merge Requests. We recommend using a dedicated GitLab account with at least Reporter permissions (the account needs permission to leave comments). Use a personal access token from this account with the api scope authorized for the repositories you're analyzing. Administrators can encrypt this token at Administration > Configuration > Encryption. See the Settings Encryption section of the Security page for more information. This personal access token is used to report your quality gate status to your pull requests. You'll be asked for another personal access token for importing projects in the following section.

Adding a personal access token for importing projects

After setting these global settings, you can add a project from GitLab by clicking the Add project button in the upper-right corner of the Projects homepage and selecting GitLab.

Then, you'll be asked to provide a personal access token with read_api scope so SonarQube can access and list your GitLab projects. This token will be stored in SonarQube and can be revoked at any time in GitLab.

After saving your personal access token, you'll see a list of your GitLab projects that you can set up to add to SonarQube. Setting up your projects this way also sets your project settings for merge request decoration.

For information on analyzing your projects with GitLab CI/CD, see the following section.

Analyzing projects with GitLab CI/CD

SonarScanners running in GitLab CI/CD jobs can automatically detect branches or merge requests being built so you don't need to specifically pass them as parameters to the scanner.

To analyze your projects with GitLab CI/CD, you need to:

  • Set your environment variables.
  • Configure your gilab-ci.yml file.

The following sections detail these steps.

Setting environment variables

You can set environment variables securely for all pipelines in GitLab's settings. See GitLab's documentation on CI/CD variables for more information.

You need to set the following environment variables in GitLab for analysis:

  • Sonar Token: Generate a SonarQube token for GitLab and create a custom environment variable in GitLab with SONAR_TOKEN as the Key and the token you generated as the Value.
  • Sonar Host URL: Create a custom environment variable with SONAR_HOST_URL as the Key and your SonarQube server URL as the Value.

Configuring your gitlab-ci.yml file

This section shows you how to configure your GitLab CI/CD gitlab-ci.yml file. The allow_failure parameter in the examples allows a job to fail without impacting the rest of the CI suite.

You'll set up your build according to your SonarQube edition:

  • Community Edition: Community Edition doesn't support multiple branches, so you should only analyze your main branch. You can restrict the analysis to your main branch by using rules to add the branch name in your .yml file.
  • Developer Edition and above: By default, GitLab will build all branches but not merge requests. To build merge requests, you need to use rules in your .gitlab-ci.yml. See the example configurations below for more information.

Select the scanner you're using below to expand an example configuration:

SonarScanner for Gradle
sonarqube-check:
  image: gradle:jre11-slim
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: gradle sonarqube -Dsonar.qualitygate.wait=true
  allow_failure: true
  rules:
    - if: $CI_COMMIT_REF_NAME == 'main' || $CI_PIPELINE_SOURCE == 'merge_request_event'
SonarScanner for Maven
sonarqube-check:
  image: maven:3.6.3-jdk-11
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - mvn verify sonar:sonar -Dsonar.qualitygate.wait=true
  allow_failure: true
  rules:
    - if: $CI_COMMIT_REF_NAME == 'main' || $CI_PIPELINE_SOURCE == 'merge_request_event'
SonarScanner CLI
sonarqube-check:
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - sonar-scanner -Dsonar.qualitygate.wait=true
  allow_failure: true
  rules:
    - if: $CI_COMMIT_REF_NAME == 'main' || $CI_PIPELINE_SOURCE == 'merge_request_event'

Project key
A project key has to be provided through sonar-project.properties or through the command line parameter. For more information, see the SonarScanner documentation.

Self-signed certificates
If you secure your SonarQube instance with a self-signed certificate, you may need to build a custom image based on sonarsource/sonar-scanner-cli. See the section Advanced docker configuration within the SonarScanner documentation.

Failing the pipeline job when the quality gate fails

In order for the quality gate to fail on the GitLab side when it fails on the SonarQube side, the scanner needs to wait for the SonarQube quality gate status. To enable this, set the sonar.qualitygate.wait=true parameter in the .gitlab-ci.yml file.

You can set the sonar.qualitygate.timeout property to an amount of time (in seconds) that the scanner should wait for a report to be processed. The default is 300 seconds.

For more information

For more information on configuring your build with GitLab CI/CD, see the GitLab CI/CD pipeline configuration reference.

Reporting your quality gate status in GitLab

After you've set up SonarQube to import your GitLab projects as shown in the previous section, SonarQube can report your quality gate status and analysis metrics directly to GitLab.

To do this, add a project from GitLab by clicking the Add project button in the upper-right corner of the Projects homepage and select GitLab from the drop-down menu.

Then, follow the steps in SonarQube to analyze your project. SonarQube automatically sets the project settings required to show your quality gate in your merge requests.

If you're creating your projects manually or adding quality gate reporting to an existing project, see the following section.

SonarQube can also report your quality gate status to GitLab merge requests for existing and manually-created projects. After you've updated your global settings as shown in the Importing your GitLab projects into SonarQube section above, set the following project settings at Project Settings > General Settings > DevOps Platform Integration:

  • Configuration name: The configuration name that corresponds to your GitLab instance.
  • Project ID: your GitLab Project ID found in GitLab

Advanced configuration

Reporting your quality gate status on pull requests in a mono repository

Reporting quality gate statuses to merge requests in a mono repository setup is supported starting in Enterprise Edition.

In a mono repository setup, multiple SonarQube projects, each corresponding to a separate project within the mono repository, are all bound to the same GitLab repository. You'll need to set up each SonarQube project that's part of a mono repository to report your quality gate status.

You need to set up projects that are part of a mono repository manually as shown in the Reporting your quality gate status in GitLab section above. You also need to set the Enable mono repository support setting to true at Project Settings > General Settings > DevOps Platform Integration.

After setting your project settings, ensure the correct project is being analyzed by adjusting the analysis scope and pass your project names to the scanner. See the following sections for more information.

Ensuring the correct project is analyzed

You need to adjust the analysis scope to make sure SonarQube doesn't analyze code from other projects in your mono repository. To do this set up a Source File Inclusion for your project at Project Settings > Analysis Scope with a pattern that will only include files from the appropriate folder. For example, adding ./MyFolderName/**/* to your inclusions will only include code in the MyFolderName folder. See Narrowing the focus for more information on setting your analysis scope.

Passing project names to the scanner

Because of the nature of a mono repository, SonarQube scanners might read all project names of your mono repository as identical. To avoid having multiple projects with the same name, you need to pass the sonar.projectName parameter to the scanner. For example, if you're using the Maven scanner, you would pass mvn sonar:sonar -Dsonar.projectName=YourProjectName.

Failing the pipeline job when the quality gate fails 

To configure pipeline jobs for each project in your mono repository, you must: 

  • Define a token for all sub-projects in GitLab CI variables. When configuring a mono repo with hundreds of modules, it often makes sense to use one token in GitLab CI.
    • See the documentation about how to generate tokens in SonarQube and how to configure your GitLab CI for more information. 
  • Define a job for each project in .gitlab-ci.yml

In each job, you must provide the corresponding sonar project key with the option  -Dsonar.projectKey in the script section part of your job (for example, with the key monorepo-simple-module2, use -Dsonar.projectKey:monorepo-simple-module2). 

Preventing pull request merges when the quality gate fails

Once the previous section is done, you can block pull requests from being merged if it's failing the quality gate : 

  1. In your GitLab repository, go to Your project > Settings > Merge requests
  2. In the Merge Checks section, select Pipelines must succeed.

More information about GitLab’s External status checks can be found in the GitLab Documentation.

Configuring multiple DevOps platform instances

SonarQube can report your quality gate status to multiple DevOps platform instances. To do this, you need to create a configuration for each DevOps platform instance and assign that configuration to the appropriate projects.

  • As part of Developer Edition, you can create one configuration for each DevOps platform.
  • Starting in Enterprise Edition, you can create multiple configurations for each DevOps platform. 
Linking issues

When adding a quality gate status to your merge requests, individual issues will be linked to their SonarQube counterparts automatically. For this to work, you need to correctly set the instance's Server base URL (Administration > Configuration > General Settings > General > General). Otherwise, the links will default to localhost.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License