Setting up integration at project level
This section explains how to set up various GitLab integration features for a given project.
This section explains how to set up various GitLab integration features for a given project.
Reporting your quality gate status in GitLab for unbound projects
On SonarQube projects Importing GitLab repositories, SonarQube automatically sets up the report of your quality gate status and analysis metrics directly to your GitLab pull requests. For unbound projects, you must set up the quality gate status report manually as explained below (The integration of SonarQube with GitLab must be properly Setting up integration at global level).
To report your quality gate status in GitLab for unbound projects:
In the SonarQube UI page of your project, select Project Settings > General Settings > DevOps Platform Integration.
Set:
Configuration name: The name of your GitLab instance’s Configuration record set in Setting up integration at global level (Ask your system admin.).
Project ID: Your GitLab project ID (found in GitLab).
Preventing pull request merges when the quality gate fails
In GitLab, you can block pull requests from being merged if it is failing the quality gate. To do this:
In your GitLab repository, go to Your project > Settings > Merge requests.
In the Merge Checks section, select Pipelines must succeed.
More information about GitLab’s External status checks can be found in the GitLab Documentation.
Reporting vulnerabilities in GitLab
This feature is available starting in Developer Edition and requires GitLab Ultimate and GitLab CI/CD.
Report overview
SonarQube can provide feedback about security vulnerabilities inside the GitLab interface itself. The security issues found by SonarQube will appear on the Gitlab > Vulnerability report page.
Initially, all issues of type Vulnerability marked Open on SonarQube are marked as Needs triage on GitLab. When you update the status of an issue in SonarQube, it is also updated in GitLab. Updating the status of an issue in Gitlab does not update it in SonarQube.
Setting up the report
The report is set up through your GitLab CI/CD pipeline. The user starting the analysis in the pipeline must have the Browse permission on your project (see Security). This user corresponds to the SonarQube account used to generate the analysis token in Adding analysis to GitLab CI/CD pipeline.
Proceed as follows:
Add a vulnerability report stage to your
.gitlab-ci.yml
file, as follows:
Last updated
Was this helpful?