Getting started with GitLab

Sign up

1. Go to SonarQube Cloud product page. If you want to use the US region, go to sonarqube.us instead.

1. Select GitLab from the list of DevOps platforms. You will be taken to the GitLab login page.

2. Sign in using your GitLab credentials.

   For prerequisites on your DevOps account’s email address, see Signing in via your DevOps platform service.

Your SonarQube Cloud account is created and bound to your GitLab account. For more information, see Authentication in the Trust Center.

Once you have successfully logged in, you will be prompted to connect your GitLab group with SonarQube Cloud and create your SonarQube Cloud organization.

Create your organization

We use an organization-based structure that mirrors the structure on your chosen DevOps platforms: each SonarQube Cloud organization corresponds one-to-one with a GitLab group. A subscription plan is associated one-to-one with a SonarQube Cloud organization. See Subscription plans for a comparison between the different plans.

To create your SonarQube Cloud organization, you’ll import to SonarQube Cloud either a GitLab group or your personal namespace. If you select the first option, you will need your GitLab group key and a GitLab personal access token. If you select the second option, you will just need a personal access token. For more information, see Step 1: Create a GitLab personal access token and Step 2: Retrieve the GitLab group key.

Proceed as follows. For detailed instructions, see Importing GitLab group.

1. Select Import an organization from GitLab.

2. Select your import option and provide the group key and/or your GitLab personal access token.

3. Select Continue.

4. Check the organization details.

5. You have an option to auto-import new GitHub repositories (in beta) as soon as they are created in your GitHub organization, skipping the manual new project analysis flow.

6. Select the subscription plan.

7. Create your organization. A new page opens.

8. Select Analyze a new project and go to the next step below.

Import your repositories

You can now import the existing projects (that is, individual GitLab repositories) that you want to analyze from your GitLab group into your newly created SonarQube Cloud organization. A corresponding, one-to-one SonarQube Cloud project will be created for each imported repository.

Proceed as follows (you need the Create Projects permission in your organization):

1. Select the repositories you want to import and select the Set up button.

1. Select the new code definition for your new project(s). For more information about this definition, see Quality standards and new code. Note that the new code definition you apply at this stage will apply to all of the projects you have selected for import. You can change your new code definition later on a per-project basis (see New code definition).

1. Create your project(s).

Set up your project analysis

With GitLab projects, the actual analysis is performed in your build environment (for example, on a cloud CI or your local machine). This means you have to configure your build process to perform the analysis on each build and communicate the results up to SonarQube Cloud.

We refer to this analysis method as CI-based analysis (though it may take place in a cloud CI or a manually configured build environment) to contrast it with automatic analysis which works by SonarQube Cloud directly accessing your repository and performing the analysis itself. However, automatic analysis is currently available only for GitHub projects and only for a subset of languages.

SonarQube Cloud will guide you through a tutorial on how to set up your build environment to run your analysis. The first step is to select your build environment. If you have no particular preference and are setting up a new project on GitLab, we recommend using GitLab CI/CD as your CI. See GitLab CI.

To understand the SonarQube analysis principles, see SonarQube analysis overview.

About the SonarQube Cloud analysis

The SonarScanner performs the automated source code analysis as part of your code review process. This stand-alone program runs on the CI/CD host and sends the analysis results to SonarQube Server, which computes them, calculates the quality gate, and generates reports.

To perform the analysis, the SonarScanner uses the Sonar analyzers that it downloads from SonarQube Cloud at installation.

The Sonar Solution offers SonarScanners that integrate with the following build systems: Gradle, Maven, .NET, NPM, and Python. For other project types, the SonarScanner CLI which requires more manual configuration is used.

For more information about integrated CI tools and SonarScanners, see CI-based analysis

Setting up the pull request analysis

By setting up pull request analysis, you ensure pull requests are analyzed when they are opened and every time a change is pushed to the pull request branch. To do so, you must add the SonarQube Cloud analysis to your CI pipeline.

• To learn more about pull request analysis, see Pull request analysis.

• To integrate SonarQube Cloud analysis into your GitLab CI pipeline, see GitLab CI.

You can also configure pull request decoration to allow your developers to view the analysis from SonarQube Cloud directly on the pull requests they submit.

• To learn more about the GitLab integration features, see Issues reported in GitLab.

• To set up your project integration with GitLab, see Configuring GitLab project binding.

Connect with SonarQube for IDE

SonarQube for IDE is a free IDE extension that integrates with SonarQube Cloud. Like a spell checker, SonarQube for IDE highlights issues as you type.

Install SonarQube for IDE to leverage the power of SonarQube in your IDE. To do so, see SonarQube for IDE.

View your analysis results

Review your project’s quality gate

The purpose of Quality gates is to tell you whether your code is good enough to be pushed to the next step:

• For the main branch and other long-lived branches, the quality gate answers the question: "Can I release my code today?"

• For pull requests (and short-lived branches), the quality gate answers the question: "Can I merge this pull request?"

By keeping an eye on the quality gates, the decision makers can quickly judge the status of code and decide what to do next.

For more information, see Quality gates.

Review your issues

An analysis detects an issue as a problem in your code. When a coding rule is broken, an issue is raised. Each issue affects one or more software qualities with a varying impact level, called severity, as inherited from the rule. For more information about rules, see Viewing and managing rules.

To review your issues, see Managing code issues.

Adjust your project setup

The analysis performed by the SonarScanner is configured through analysis parameters. The following applies:

• A few analysis parameters are mandatory.

• Many analysis parameters, such as those defining the analysis scope, have a default value and can be adjusted.

• Analysis parameters allow you to include the code and test coverage in your analysis, or to import issues generated by a third-party analyzer, etc.

SonarQube Server manages the analysis parameters through sonar properties (The sonar property key has the following syntax: sonar.<property>.).

You can configure the analysis parameters in different places. For more information, see Configuration overview.

You can:

• Adjust your analysis scope, see Analysis scope.

• Implement test coverage, see Test coverage.

• Import external analyzer reports, see External analyzer reports.

• Define a Long-lived branch pattern, see Long-lived branch pattern.

• Change the new code definition applied to your project, see New code definition.

• Change the quality gate assigned to your project, see Quality gate.

• Change the quality profiles assigned to your project, see Quality profile

Check out security reports and portfolios

Managers and tech leads can check out the security reports and portfolios features to begin monitoring the security and releasability of projects. For more information, see Viewing the enterprise reports.