Start Free

Adding analysis to Bitbucket pipeline

How to add SonarQube Community Build analysis to Bitbucket Pipelines.

Once you have created your project in SonarQube, you can add the SonarQube analysis to your Bitbucket pipeline. To do so, you need to:

  • Configure your project analysis parameters.

  • Configure your bitbucket-pipelines.yml file.

Prerequisites

You should clone the full depth to make sure the scanner has access to all of your history when running analysis. For more information, see the documentation about Git clone behavior in Bitbucket.

Configuring your project analysis parameters

For general information about the configuration of project analysis parameters, see Configuration overview.

You can set environment variables securely for all pipelines in Bitbucket Cloud’s settings. See User-defined variables for more information.

You may need to commit your bitbucket-pipelines.yml before being able to set environment variables for pipelines.

You need to set the following environment variables in Bitbucket Cloud for analysis:

  • SONAR_TOKEN: Generate a SonarQube token for Bitbucket Cloud and create a custom, secure environment variable in Bitbucket Cloud with SONAR_TOKEN as the Name and the token you generated as the Value.

  • SONAR_HOST_URL: Create a custom environment variable with SONAR_HOST_URL as the Name and your SonarQube URL as the Value.

See Managing your tokens for more information.

Configuring your bitbucket-pipelines.yml file

This section shows you how to configure your bitbucket-pipelines.yml file. Bitbucket Pipelines can build specific branches and pull requests if you use the branches and pull-requests pipelines as shown in the example configurations below.

SonarScanner for Gradle

In SonarQube, after you select a project imported from Bitbucket, you’ll need to select an analysis method. Select With Bitbucket Pipelines and follow the in-product tutorial to create environment variables and configure your bitbucket-pipelines.yml for analysis.

A project key might have to be provided through a build.gradle file, or through the command line parameter. For more information, see SonarScanner for Gradle.

SonarScanner for Maven

In SonarQube, after you select a project imported from Bitbucket, you’ll need to select an analysis method. Select With Bitbucket Pipelines and follow the in-product tutorial to create environment variables and configure your bitbucket-pipelines.yml for analysis.

A project key might have to be provided through the command line parameter. For more information, see SonarScanner for Maven.

SonarScanner for .NET

In SonarQube, after you select a project imported from Bitbucket, you’ll need to select an analysis method. Select With Bitbucket Pipelines and follow the in-product tutorial to create environment variables and configure your bitbucket-pipelines.yml for analysis.

SonarScanner CLI

The Advanced Configuration below is an alternative to the SonarQube Scan Bitbucket Pipe. If you do not need a setup that allows for scanner caching, we recommend using the Bitbucket Pipe configuration.

You can set up the SonarScanner CLI configuration the following ways:

  • SonarQube Scan Bitbucket Pipe: Using the SonarQube Scan Bitbucket Pipe is an easy way to set up a basic configuration. You’ll find the Bitbucket Pipe and configuration instructions on the SonarQube Scan Bitbucket Pipe page.

  • Advanced Configuration: If you need an advanced setup that allows for scanner caching, you can add the following to your bitbucket-pipelines.yml file: 

image: <image for build>

definitions:
  steps: &build-step
    - step:
        name: SonarQube analysis
        image: sonarsource/sonar-scanner-cli:latest
        caches:
          - sonar
        script:
          - sonar-scanner
  caches:
    sonar: /opt/sonar-scanner/.sonar

clone:
  depth: full

pipelines:
  branches:
    '{master,main,develop}':
      - step: *build-step

  pull-requests:
    '**':
      - step: *build-step

A project key has to be provided through a sonar-project.properties file, or through the command line parameter. For more information, see SonarScanner CLI.

Failing the pipeline job when the quality gate fails

You can use the SonarQube quality gate check Bitbucket Pipe to ensure your code meets your quality standards by failing your pipeline job when your quality gate fails.

If you do not want to use the SonarQube quality gate Check Pipe, you can instruct the scanner to wait for the SonarQube quality gate status at the end of the analysis. To enable this, pass the -Dsonar.qualitygate.wait=true parameter to the scanner in the bitbucket-pipelines.yml file.

This will make the analysis step poll SonarQube regularly until the quality gate is computed. This will increase your pipeline duration. Note that, if the quality gate is red, this will make the analysis step fail, even if the actual analysis itself is successful. We advise only using this parameter when necessary (for example, to block a deployment pipeline if the quality gate is red). It should not be used to report the quality gate status in a pull request.

You can set the sonar.qualitygate.timeout property to an amount of time (in seconds) that the scanner should wait for a report to be processed. The default is 300 seconds.

Related pages

Setting up Bitbucket Cloud integration at global level Importing Bitbucket Cloud repositories Troubleshooting

PreviousImporting Bitbucket Cloud repositoriesNextTroubleshooting

Last updated

Was this helpful?