Setting up GitLab integration at project level

This section explains how to set up various GitLab integration features for a given project.

Reporting your quality gate status in GitLab for unbound projects

On SonarQube projects Importing your GitLab repositories, SonarQube automatically sets up the report of your quality gate status and analysis metrics directly to your GitLab merge requests. For unbound projects, you must set up the quality gate status report manually as explained below (The integration of SonarQube with GitLab must be properly Setting up integration at global level).

To report your quality gate status in GitLab for unbound projects:

In the SonarQube UI page of your project, select Project Settings > General Settings > DevOps Platform Integration.
Set:
- Configuration name: The name of your GitLab instance’s Configuration record set in Setting up integration at global level (Ask your system admin.).
- Project ID: Your GitLab project ID (found in GitLab).

Preventing a merge when the quality gate fails

In GitLab, you can block merge requests if it is failing the quality gate. To do this:

In your GitLab repository, go to Your project > Settings > Merge requests.
In the Merge Checks section, select Pipelines must succeed.

More information about GitLab’s External status checks can be found in the GitLab Documentation.

Reporting vulnerabilities in GitLab

This feature is available starting in Developer Edition and requires GitLab Ultimate and GitLab CI/CD.

Report overview

SonarQube can provide feedback about security vulnerabilities inside the GitLab interface itself. The security issues found by SonarQube will appear on the Gitlab > Vulnerability report page.

Initially, all issues of type Vulnerability marked Open on SonarQube are marked as Needs triage on GitLab. When you update the status of an issue in SonarQube, it is also updated in GitLab. Updating the status of an issue in Gitlab does not update it in SonarQube.

If issues in GitLab appear duplicated after a modification, users should use the Activity > Still detected filter.

Correspondence of statuses

Because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions:

In SonarQube, a transition to

Results in this in GitLab

Open

Needs triage

Confirmed (deprecated)

Confirm

Accepted

Dismiss

Fixed

Resolved

Severity mapping

The following table presents the mapping of the severity levels between SonarQube and GitLab.

Severity level in SonarQube

Is mapped to, in GitLab

High

Medium

Low

Setting up the report

The report is set up through your GitLab CI/CD pipeline. The user starting the analysis in the pipeline must have the Browse permission on your project (see Security features). This user corresponds to the SonarQube account used to generate the analysis token in Adding analysis to GitLab CI/CD pipeline.

Proceed as follows:

Add a vulnerability report stage to your .gitlab-ci.yml file, as follows:

SonarScanner for Gradle

stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: gradle:8.2.0-jdk17-jammy
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: gradle sonar
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'  # Replace <projectKey> with your project key

  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check

SonarScanner for Maven

stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: maven:3.9.3-eclipse-temurin-17
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: 
    - mvn verify sonar:sonar
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json' # Replace <projectKey> with your project key
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check

SonarScanner CLI

stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: 
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: 
    - sonar-scanner
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'  # Replace <projectKey> with your project key
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check

SonarScanner for .NET

stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: mcr.microsoft.com/dotnet/sdk:latest
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: 
      - "apt-get update"
      - "apt-get install --yes openjdk-17-jre"
      - "dotnet tool install --global dotnet-sonarscanner"
      - "export PATH=\"$PATH:$HOME/.dotnet/tools\""
      - "dotnet sonarscanner begin /k:\"projectKey" /d:sonar.token=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" "  # Replace "projectKey" with your project key
      - "dotnet build"
      - "dotnet sonarscanner end /d:sonar.token=\"$SONAR_TOKEN\""
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'  # Replace <projectKey> with your project key
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check

PreviousImporting your GitLab repositories NextAdding analysis to GitLab CI/CD pipeline

Last updated 3 months ago

Was this helpful?