On this page

Importing your Bitbucket Cloud repositories into SonarQubeAnalyzing projects with Bitbucket PipelinesReporting your quality gate status in Bitbucket CloudAuthenticating with Bitbucket Cloud

Bitbucket Cloud integration

SonarQube's integration with Bitbucket Cloud allows you to maintain code quality and security in your Bitbucket Cloud repositories.

With this integration, you'll be able to:

  • Import your BitBucket Cloud repositories: Import your Bitbucket Cloud repositories into SonarQube to easily set up SonarQube projects.
  • Analyze projects with Bitbucket Pipelines: Integrate analysis into your build pipeline. SonarScanners running in Bitbucket Pipelines can automatically detect branches or pull requests being built so you don't need to specifically pass them as parameters to the scanner (branch and pull request analysis is available starting in Developer Edition).
  • Report your quality gate status to your pull requests (starting in Developer Edition): See your quality gate and code metric results right in Bitbucket Cloud so you know if it's safe to merge your changes.
  • Authenticate with Bitbucket Cloud: Sign in to SonarQube with your Bitbucket Cloud credentials.

Importing your Bitbucket Cloud repositories into SonarQube

Setting up the import of BitBucket Cloud repositories into SonarQube allows you to easily create SonarQube projects from your Bitbucket Cloud repositories. This is also the first step in adding authentication and, starting in Developer Edition, the first step in reporting your analysis and quality gate status to your pull requests.

To set up the import of BitBucket Cloud repositories:

  1. Create an OAuth consumer.
  2. Set your global DevOps Platform integration settings.
  3. Add your Bitbucket username and an app password.

Creating your OAuth consumer

SonarQube uses a dedicated OAuth consumer to import repositories and display your quality gate status on pull requests. Create the OAuth consumer in your Bitbucket Cloud workspace settings and specify the following:

  • Name: The name of your OAuth consumer
  • Callback URL: Bitbucket Cloud requires this field, but it's not used by SonarQube so you can use any URL.
  • This is a private consumer: Your OAuth consumer needs to be private. Make sure this check box is selected.
  • Permissions: Grant Read access for the Pull requests permission.

Setting your global DevOps platform integration settings

To set your global DevOps Platform Integration settings, navigate to Administration > DevOps Platform Integrations, select the Bitbucket tab, and select Bitbucket Cloud as the variant you want to configure. From here, specify the following settings:

  • Configuration Name (Enterprise and Data Center Edition only): The name used to identify your Bitbucket Cloud configuration at the project level. Use something succinct and easily recognizable.
  • Workspace ID: The workspace ID is part of your bitbucket cloud URL https://bitbucket.org/<workspace-id>/<repository-slug>
  • OAuth Key: Bitbucket automatically creates an OAuth key when you create your OAuth consumer. You can find it in your Bitbucket Cloud workspace settings under OAuth consumers.
  • OAuth Secret: Bitbucket automatically creates an OAuth secret when you create your OAuth consumer. You can find it in your Bitbucket Cloud workspace settings under OAuth consumers. Administrators can encrypt this secret at Administration > Configuration > Encryption. See the Settings Encryption section of the Security page for more information.

Adding your Bitbucket username and an app password

After setting your global settings, you can add a project from Bitbucket Cloud by clicking the Add project button in the upper-right corner of the Projects homepage and selecting Bitbucket.

Then, you'll be asked to provide your Bitbucket username and an app password. Your app password needs the repository:read permission.

After adding your Bitbucket username and app password, you'll see a list of your Bitbucket Cloud projects that you can set up by adding them to SonarQube. Setting up your projects this way also sets your project settings to display your quality gate status on pull requests.

Analyzing projects with Bitbucket Pipelines

SonarScanners running in Bitbucket Pipelines can automatically detect branches or pull requests being built so you don't need to specifically pass them as parameters to the scanner.

To analyze your projects with Bitbucket Pipelines, you need to:

  • Set your environment variables.
  • Configure your bitbucket-pipelines.yml file.

Setting environment variables

You can set environment variables securely for all pipelines in Bitbucket Cloud's settings. See User-defined variables for more information.

You need to set the following environment variables in Bitbucket Cloud for analysis:

  • SONAR_TOKEN: Generate a SonarQube token for Bitbucket Cloud and create a custom secured environment variable in Bitbucket Cloud with SONAR_TOKEN as the Name and the token you generated as the Value.
  • SONAR_HOST_URL: Create a custom environment variable with SONAR_HOST_URL as the Name and your SonarQube server URL as the Value.

Configuring your bitbucket-pipelines.yml file

This section shows you how to configure your bitbucket-pipelines.yml file.

You'll set up your build according to your SonarQube edition:

  • Community Edition: Community Edition doesn't support multiple branches, so you should only analyze your main branch. You can restrict analysis to your main branch by setting it as the only branch in your branches pipeline in your bitbucket-pipelines.yml file and not using the pull-requests pipeline.
  • Developer Edition and above: Bitbucket Pipelines can build specific branches and pull requests if you use the branches and pull-requests pipelines as shown in the example configurations below.

Click the scanner you're using below to expand the example configuration:

Note: This assumes a typical gitflow workflow. See Use glob patterns on the Pipelines YAML file provided by Atlassian for more information on customizing which branches or pull requests trigger an analysis.

Failing the pipeline job when the quality gate fails

You can use the SonarQube quality gate check Bitbucket Pipe to ensure your code meets your quality standards by failing your pipeline job when your quality gate fails.

If you do not want to use the SonarQube quality gate Check Pipe, you can instruct the scanner to wait for the SonarQube quality gate status at the end of the analysis. To enable this, pass the -Dsonar.qualitygate.wait=true parameter to the scanner in the bitbucket-pipelines.yml file.

This will make the analysis step poll SonarQube regularly until the quality gate is computed. This will increase your pipeline duration. Note that, if the quality gate is red, this will make the analysis step fail, even if the actual analysis itself is successful. We advise only using this parameter when necessary (for example, to block a deployment pipeline if the quality gate is red). It should not be used to report the quality gate status in a pull request.

You can set the sonar.qualitygate.timeout property to an amount of time (in seconds) that the scanner should wait for a report to be processed. The default is 300 seconds.

For more information

For more information on configuring your build with Bitbucket Pipelines, see the Configure bitbucket-pipelines.yml documentation provided by Atlassian.

Reporting your quality gate status in Bitbucket Cloud

After creating and installing your OAuth consumer above, SonarQube can report your quality gate status and analysis metrics directly to your Bitbucket Cloud pull requests.

To do this, add a project from Bitbucket by clicking the Add project button in the upper-right corner of the Projects homepage and select Bitbucket from the drop-down menu.

Then, follow the steps in SonarQube to analyze your project. SonarQube automatically sets the project settings required to show your quality gate in your pull requests.

If you're creating your projects manually or adding quality gate reporting to an existing project, see the following section.

Reporting your quality gate status in manually created or existing projects

SonarQube can also report your quality gate status to Bitbucket Cloud pull requests for existing and manually-created projects. After you've created and installed your OAuth consumer and updated your global settings as shown in the Importing your Bitbucket Cloud repositories into SonarQube section above, set the following project settings at Project Settings > General Settings > DevOps Platform Integration:

  • Configuration name: The configuration name that corresponds to your GitHub instance.
  • Repository SLUG: The Repository SLUG is part of your Bitbucket Cloud URL. For example, https://bitbucket.org/<workspace>/<repository>

Advanced configuration

Authenticating with Bitbucket Cloud

To allow users to log in with Bitbucket Cloud credentials, you need to use an OAuth consumer and set the authentication settings in SonarQube. You can either use the OAuth consumer that you created above in the Importing your Bitbucket Cloud repositories into SonarQube section or create a new OAuth consumer specifically for authentication. See the following sections for more on setting up authentication.

Setting your OAuth consumer settings

Create or update your OAuth consumer in your Bitbucket Cloud workspace settings and specify the following:

  • Name: The name of your OAuth consumer.
  • Callback URL: Your SonarQube instance URL.
  • Permissions:
    • AccountRead and Email access.
    • Workspace membershipRead access.

Setting your authentication settings in SonarQube

To set your global authentication settings, navigate to Administration > DevOps Platform Integrations and select the Bitbucket tab. Scroll down to the Bitbucket Authentication section and update the following settings:

  • Enabled: Set to true.
  • OAuth consumer key: Enter the Key from your OAuth consumer page in Bitbucket.
  • OAuth consumer secret: Enter the Secret from your OAuth consumer page in Bitbucket.
  • Workspaces: Only users from Bitbucket Workspaces that you add here will be able to authenticate in SonarQube. This is optional but highly recommended to ensure that only the users you want to log in with Bitbucket credentials are able to.

© 2008-2022, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.

Creative Commons License