# Setting up GitLab integration for your project

## Reporting your quality gate status in GitLab for unbound projects <a href="#reporting-quality-gate-status" id="reporting-quality-gate-status"></a>

On SonarQube Server projects bound to their GitLab repository, SonarQube Server automatically sets up the report of your quality gate status and analysis metrics directly to your GitLab merge requests.

You can bind an existing and manually created project to its GitLab repository provided the global integration of SonarQube Server with GitLab has been properly set up. To do so, see [changing-project-binding](https://docs.sonarsource.com/sonarqube-server/project-administration/maintaining-project/changing-project-binding "mention").

## Preventing a merge when the quality gate fails <a href="#preventing-merge-request-merge" id="preventing-merge-request-merge"></a>

In GitLab, you can block merge requests if it is failing the quality gate. To do this:

1. In your GitLab repository, go to *Your project* > **Settings** > **Merge requests.**
2. In the **Merge Checks** section, select **Pipelines must succeed**. More information about GitLab’s External status checks can be found in the [GitLab Documentation](https://docs.gitlab.com/ee/user/project/merge_requests/status_checks.html#block-merges-of-merge-requests-unless-all-status-checks-have-passed).
3. Set up the pipeline to fail. If you use GitLab CI/CD, you must configure the SonarScanner to wait for the quality gate result. For more information, see [#quality-gate-fails](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/ci-integration/overview#quality-gate-fails "mention") for more information.

## Reporting vulnerabilities in GitLab <a href="#reporting-vulnerabilities" id="reporting-vulnerabilities"></a>

This feature is available starting in [Developer Edition](https://www.sonarsource.com/plans-and-pricing/developer/) and requires GitLab Ultimate and GitLab CI/CD.

### Report overview <a href="#report-overview" id="report-overview"></a>

SonarQube Server can provide feedback about security vulnerabilities inside the GitLab interface itself. The security issues found by SonarQube Server will appear on the **Gitlab** > **Vulnerability** report page.

Initially, all issues of type Vulnerability marked **Open** on SonarQube Server are marked as **Needs triage** on GitLab. When you update the status of an issue in SonarQube Server, it is also updated in GitLab. Updating the status of an issue in Gitlab does not update it in SonarQube Server.

{% hint style="info" %}
If issues in GitLab appear duplicated after a modification, users should use the **Activity > Still detected** filter.
{% endhint %}

<details>

<summary>Correspondence of statuses</summary>

Because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions:

| In SonarQube, a transition to | Results in this in GitLab |
| ----------------------------- | ------------------------- |
| Open                          | Needs triage              |
| Confirmed (deprecated)        | Confirm                   |
| Accepted                      | Dismiss                   |
| Fixed                         | Resolved                  |

</details>

<details>

<summary>Severity mapping</summary>

The following table presents the mapping of the severity levels between SonarQube Server and GitLab.

| Severity level in Standard Experience | Severity level in MQR Mode | Maps to in GitLab |
| ------------------------------------- | -------------------------- | ----------------- |
| Blocker                               | Blocker                    | Critical          |
| Critical                              | High                       | High              |
| Major                                 | Medium                     | Medium            |
| Minor                                 | Low                        | Low               |
| Info                                  | Info                       | Info              |

</details>

### Setting up the report <a href="#setting-up-the-report" id="setting-up-the-report"></a>

The report is set up through your GitLab CI/CD pipeline. The user starting the analysis in the pipeline must have the Browse permission on your project, see [setting-project-permissions](https://docs.sonarsource.com/sonarqube-server/project-administration/setting-project-permissions "mention") for more details. This user corresponds to the SonarQube Server account used to generate the analysis token in [adding-analysis-to-gitlab-ci-cd](https://docs.sonarsource.com/sonarqube-server/devops-platform-integration/gitlab-integration/adding-analysis-to-gitlab-ci-cd "mention").

Proceed as follows:

* Add a vulnerability report stage to your `.gitlab-ci.yml` file, as follows:

<details>

<summary>SonarScanner for Gradle</summary>

```yaml
stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: gradle:8.10.0-jdk17-jammy
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: gradle sonar
  allow_failure: true
  only:
    - merge_requests
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'  # Replace <projectKey> with your project key

  allow_failure: true
  only:
    - merge_requests
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check
```

</details>

<details>

<summary>SonarScanner for Maven</summary>

```yaml
stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: maven:3.9.3-eclipse-temurin-17
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: 
    - mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
  allow_failure: true
  only:
    - merge_requests
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json' # Replace <projectKey> with your project key
  allow_failure: true
  only:
    - merge_requests
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check
```

</details>

<details>

<summary>SonarScanner CLI</summary>

```yaml
stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: 
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: 
    - sonar-scanner
  allow_failure: true
  only:
    - merge_requests
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'  # Replace <projectKey> with your project key
  allow_failure: true
  only:
    - merge_requests
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check
```

</details>

<details>

<summary>SonarScanner for .NET</summary>

```yaml
stages:
    - sonarqube-check
    - vulnerability-report

sonarqube-check:
  stage: sonarqube-check
  image: mcr.microsoft.com/dotnet/sdk:latest
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: 
      - "apt-get update"
      - "apt-get install --yes openjdk-17-jre"
      - "dotnet tool install --global dotnet-sonarscanner"
      - "export PATH=\"$PATH:$HOME/.dotnet/tools\""
      - "dotnet sonarscanner begin /k:\"projectKey" /d:sonar.token=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" "  # Replace "projectKey" with your project key
      - "dotnet build"
      - "dotnet sonarscanner end /d:sonar.token=\"$SONAR_TOKEN\""
  allow_failure: true
  only:
    - merge_requests
    - main
    - develop

vulnerability-report:
  stage: vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'  # Replace <projectKey> with your project key
  allow_failure: true
  only:
    - merge_requests
    - main
    - develop
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
  dependencies:
    - sonarqube-check
```

</details>

## Related pages

[global-setup](https://docs.sonarsource.com/sonarqube-server/devops-platform-integration/gitlab-integration/global-setup "mention")