Analyzing GitLab projects

If your code is on GitLab, go to SonarQube Cloud and choose "Try now" or "Login," then select GitLab from the list of DevOps platforms to get started.

If your code is on GitLab, go to the SonarQube Cloud product page and choose Set up or Login, then select GitLab from the list of DevOps cloud platforms.

You will be taken to the GitLab login page. Sign in using your GitLab credentials.

Welcome to SonarQube Cloud

Once you have successfully logged in, you will see the SonarQube Cloud welcome screen. Select Analyze your first projects > Import an organization from GitLab.

Set up your organization

About SonarQube Cloud organizations

SonarQube Cloud is set up to mirror the way that code is organized in GitLab (and other repository providers):

Each SonarQube Cloud project corresponds one-to-one with a GitLab project, which resides in its own Git repository.
GitLab projects are grouped into *GitLab groups *or under a personal namespace.
Each SonarQube Cloud organization corresponds one-to-one with a *GitLab group *or personal namespace.

SonarQube Cloud supports one DevOps platform at a time.

SonarQube Cloud does not support linking an organization to more than one DevOps platform. If you want to link to more than one, you will need to create a separate organization to link to each DevOps service.

Connect your GitLab group with SonarQube Cloud

First, select either

Import any GitLab group, if you want to import a GitLab group other than your personal one, or
Import my personal namespace, if you want to import only the repositories that are under your personal namespace.

If you select the first option, you will need your GitLab group key and a personal access token.

If you select the second option, you will just need a personal access token.

Group key

For the group key, you can provide either the ID of the group or the key of the group. The group ID can be found under the group name on the group page. The group key is the last element in the path of the group and is found in the URL. For example, gitlab.com/my-group.

Note that the user that is logged into SonarQube Cloud must be an owner of the GitLab group.

We currently only support the importing of GitLab parent groups. Subgroups are not supported.

Personal access token

To create the token, go to User settings > Personal Access Tokens in GitLab, or while logged in to GitLab, click the Personal Access Token hyperlink in the SonarQube Cloud Create an organization tutorial.

When creating your access token on the GitLab User settings > Personal Access Tokens page, make sure to select api scope. Then click Create personal access token.

When the personal access token is displayed at the top of the page, copy the token and paste it into the field on the SonarQube Cloud setup page.

An api scope is required

SonarQube Cloud requires that the access token have api scope. This gives SonarQube Cloud more access rights than strictly necessary, but due to the lack of more fine-grained access control in GitLab, it is the only viable option.

To mitigate this potential security concern, we strongly encourage you to add a technical user to your organization, log in to SonarQube Cloud using that technical user, and use the access token of that technical user to connect your GitLab group to SonarQube Cloud.

SonarQube Cloud will always limit its actions to those required for effective integration with GitLab and will never use the full access right provided by the api scope.

Import organization details

In this step, you will create a SonarQube Cloud organization that corresponds to your GitLab group.

SonarQube Cloud will suggest a key for your SonarQube Cloud organization. This is a name unique across all organizations within SonarQube Cloud. You can accept the suggestion or change it manually. The interface will prevent you from changing it to an already existing key.

Choose a plan

Next, you will be asked to choose a SonarQube Cloud Subscription plans. If all the repositories to be analyzed are public on your DevOps platform, you can select the Free plan. When using the Free plan, your code and analysis results will be publicly accessible at sonarcloud.io/explore/projects.

If you want to analyze more than 50k lines of private code, then you need to select the Team or Enterprise plan. Monthly plans offer a 14-day free trial period. Once the 14 days have elapsed, the cost is based on the number of lines of code analyzed. For more information, see Managing your subscription Introduction page for more information.

A plan is always associated one-to-one with a SonarQube Cloud organization and therefore, with a single GitLab group. If you want to onboard multiple GitLab groups, you must sign up for a separate SonarQube Cloud plan for each group.

Once you have chosen a plan and selected Create Organization, your SonarQube Cloud organization will be created!

Set up your analysis

Import repositories

The next step is to import the projects (that is, individual Git repositories) that you want to analyze from your GitLab group into your newly created SonarQube Cloud organization, creating a corresponding SonarQube Cloud project for each.

SonarQube Cloud will present a list of the repositories in your GitLab group. Select those that you want to import and analyze and click Set Up.

Import repositories from GitLab into SonarQube Cloud.

The selected projects will be imported.

Choose your new code definition

The next step is to set the New Code Definition (NCD) for your project(s). The NCD is a mandatory step and it defines which part of your code is considered new code. This helps you to focus your attention on the most recent changes to your code.

Set up your project by selecting a New Code Defintition.

Note that the new code definition you apply at this stage will apply to all of the projects you have selected for analysis. You can change your new code definition later on a per-project basis.

To do this, go to Your Project > Administration > New Code.

For more information, see the Quality standards and new code page.

Configure analysis

With GitLab projects, the actual analysis is performed in your build environment (for example, on a cloud CI or your local machine). This means you have to configure your build process to perform the analysis on each build and communicate the results up to SonarQube Cloud.

We refer to this analysis method as CI-based analysis (though it may take place in a cloud CI or a manually configured build environment) to contrast it with automatic analysis which works by SonarQube Cloud directly accessing your repository and performing the analysis itself. However, Automatic analysis is currently available only for GitHub projects and only for a subset of languages.

SonarQube Cloud will guide you through a tutorial on how to set up your build environment to run your analysis.

The first step is to select your build environment. SonarQube Cloud will present this page:

If you have no particular preference and are setting up a new project on GitLab, we recommend using GitLab CI/CD as your CI.

Follow the tutorial to set up your analysis.

See your analysis results

Once it is complete, you can view the results of your first analysis.

In addition, please see the page on GitLab CI to integrate SonarQube Cloud into your GitLab pipelines.

Email notifications

If you log into SonarQube Cloud using an email address that you previously used to log into another DevOps platform, you need to be aware that SonarQube Cloud will automatically associate your email address with the new DevOps platform.

For example, if you log in through GitLab and previously used GitHub, GitHub issues will no longer be assigned to your email address and you will stop receiving GitHub email notifications. If you then decide to switch back to GitHub, the GitLab email notifications will be discontinued.

PreviousAnalyzing Bitbucket Cloud projects NextAnalyzing Azure DevOps projects

Last updated 1 month ago

Was this helpful?