This section explains how to set up various GitLab integration features for a given project.
On SonarQube Server projects bound to their GitLab repository , SonarQube Server automatically sets up the report of your quality gate status and analysis metrics directly to your GitLab merge requests. For unbound projects, you must set up the quality gate status report manually as explained below (The integration of SonarQube Server with GitLab must be properly set up ).
To report your quality gate status in GitLab for unbound projects:
In the SonarQube Server UI page of your project, select Project Settings > General Settings > DevOps Platform Integration .
Set:
In GitLab, you can block merge requests if it is failing the quality gate. To do this:
In your GitLab repository, go to Your project > Settings > Merge requests.
In the Merge Checks section, select Pipelines must succeed .
More information about GitLab’s External status checks can be found in the GitLab Documentation .
This feature is available starting in Developer Edition and requires GitLab Ultimate and GitLab CI/CD.
SonarQube Server can provide feedback about security vulnerabilities inside the GitLab interface itself. The security issues found by SonarQube Server will appear on the Gitlab > Vulnerability report page.
Initially, all issues of type Vulnerability marked Open on SonarQube Server are marked as Needs triage on GitLab. When you update the status of an issue in SonarQube Server, it is also updated in GitLab. Updating the status of an issue in Gitlab does not update it in SonarQube Server.
If issues in GitLab appear duplicated after a modification, users should use the Activity > Still detected filter.
Correspondence of statusesBecause the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions:
In SonarQube, a transition to Results in this in GitLab Open Needs triage Confirmed (deprecated) Confirm Accepted Dismiss Fixed Resolved
Severity mappingThe following table presents the mapping of the severity levels between SonarQube Server and GitLab.
Severity level in Standard Experience Severity level in MQR Mode Maps to in GitLab Blocker Blocker Critical Critical High High Major Medium Medium Minor Low Low Info Info Info
The report is set up through your GitLab CI/CD pipeline. The user starting the analysis in the pipeline must have the Browse permission on your project (see Security > Authentication > Project permissions ). This user corresponds to the SonarQube Server account used to generate the analysis token in Adding the SonarQube Server analysis to your GitLab CI/CD pipeline .
Proceed as follows:
Add a vulnerability report stage to your .gitlab-ci.yml
file, as follows:
SonarScanner for Gradlestages:
- sonarqube-check
- vulnerability-report
sonarqube-check:
stage: sonarqube-check
image: gradle:8.2.0-jdk17-jammy
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script: gradle sonar
allow_failure: true
only:
- merge_requests
- master
- main
- develop
vulnerability-report:
stage: vulnerability-report
script:
- 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json' # Replace <projectKey> with your project key
allow_failure: true
only:
- merge_requests
- master
- main
- develop
artifacts:
expire_in: 1 day
reports:
sast: gl-sast-sonar-report.json
dependencies:
- sonarqube-check
SonarScanner for Mavenstages:
- sonarqube-check
- vulnerability-report
sonarqube-check:
stage: sonarqube-check
image: maven:3.9.3-eclipse-temurin-17
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- mvn verify sonar:sonar
allow_failure: true
only:
- merge_requests
- master
- main
- develop
vulnerability-report:
stage: vulnerability-report
script:
- 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json' # Replace <projectKey> with your project key
allow_failure: true
only:
- merge_requests
- master
- main
- develop
artifacts:
expire_in: 1 day
reports:
sast: gl-sast-sonar-report.json
dependencies:
- sonarqube-check
SonarScanner CLIstages:
- sonarqube-check
- vulnerability-report
sonarqube-check:
stage: sonarqube-check
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner
allow_failure: true
only:
- merge_requests
- master
- main
- develop
vulnerability-report:
stage: vulnerability-report
script:
- 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json' # Replace <projectKey> with your project key
allow_failure: true
only:
- merge_requests
- master
- main
- develop
artifacts:
expire_in: 1 day
reports:
sast: gl-sast-sonar-report.json
dependencies:
- sonarqube-check
SonarScanner for .NETstages:
- sonarqube-check
- vulnerability-report
sonarqube-check:
stage: sonarqube-check
image: mcr.microsoft.com/dotnet/core/sdk:latest
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- "apt-get update"
- "apt-get install --yes openjdk-17-jre"
- "dotnet tool install --global dotnet-sonarscanner"
- "export PATH=\"$PATH:$HOME/.dotnet/tools\""
- "dotnet sonarscanner begin /k:\"projectKey" /d:sonar.token=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" " # Replace "projectKey" with your project key
- "dotnet build"
- "dotnet sonarscanner end /d:sonar.token=\"$SONAR_TOKEN\""
allow_failure: true
only:
- merge_requests
- master
- main
- develop
vulnerability-report:
stage: vulnerability-report
script:
- 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=<projectKey>&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json' # Replace <projectKey> with your project key
allow_failure: true
only:
- merge_requests
- master
- main
- develop
artifacts:
expire_in: 1 day
reports:
sast: gl-sast-sonar-report.json
dependencies:
- sonarqube-check