22

I am pretty new to Development community and specifically to DevOps practices , as a part of project we are trying to integrate SonarQube with Gitlab , did some R& D on SonarQube and Git CI ( Continuous Integration ) and look like plugin is released for Github and SonarQube whereas not for Gitlab.

How realistic is it to configure GitLab with SonarQube for inspecting code quality for every pull request and what will be the best practice to integrate these two piece.

Thanks

Adi
  • 221
  • 1
  • 2
  • 3

5 Answers5

25

you don't really need a plugin. make something like this in your .gitlab-ci.yml

stages: 
- build 
build_master:
  image: maven
  stage: build
  artifacts:
    paths:
    - target/*.jar
  script:
  - mvn package sonar:sonar -Dsonar.host.url=https://sonar.yourdomain.tld/ 
  only:
  - master

and every master push will be tested! (this is for a Java project...)

Joergi
  • 1,527
  • 3
  • 39
  • 82
  • This answer is quite limited. How about Windows? How about C# or C++? How about UI links in both tools, if not analysis results displayed in GitLab UI? – Ivan Nov 13 '17 at 16:53
  • 2
    Hey Ivan, I'm pretty sure you can build all other things this way too. For Windows stuff I was using the last time the PowerShell image. – Joergi Nov 13 '17 at 16:57
  • 1
    That won't be that easy, trust me. Calling a SonarQube runner is only one aspect of the question. No Windows Docker image would have a SonarQube runner installed. No GitLab version for the moment allows to use Docker executor in Windows gitlab-runner. There's no free official SonarQube plugin for C++ - but lots of options. Much more manual work. Then another side of the question - UI integration, as I mentioned above. – Ivan Nov 13 '17 at 17:03
18

Currently there are (as far I am aware) two community driven plugins which aim to provide MR-analysis/integrate with GitLab.

Both of them are currently going through the Feedback phase for their next release and both aim to land into the Update Center with that release.

With both you're able to run a build which will provide comments in GitLab with the newly found violations. Both are highly inspired by SonarSource's GitHub plugin.

However I'm not in the position to advise you on which of the two to use as I'm the developer the first and thus biased.

Johnnei
  • 588
  • 4
  • 9
  • Thanks for the resources @Johnnei. Just a question: is it possible to run any of these on a freestyle project? Eg non-mvn, and non gitlab-CI... Thank you. – Zoette Jun 15 '17 at 02:21
  • As far as I'm aware both plugins are 'just' SonarQube plugins thus they will work with any Sonar Scanner as long as you provide the correct properties. I mainly used Java/Maven and GitLab CI as that's what's I'm most familiar with. – Johnnei Jun 15 '17 at 17:51
  • no plugin is needed here - you just have to make the `.gitlab-ci.yml` right. have a look for my answer @Johnnei and @Adi – Joergi Sep 13 '17 at 16:13
  • You glanced over 'for every pull request' part, for standard analysis the sonar-scanner is indeed the only thing you need. – Johnnei Sep 14 '17 at 08:49
  • 1
    It seems that - ironically - gabriel's plugin has moved to github: https://github.com/gabrie-allaigre/sonar-gitlab-plugin PS @Johnnei: your git is unreachable for me. – MCO Dec 17 '19 at 13:54
  • 1
    @MCO Almost all of my services are down for the time being. But as for mine, I've abandoned my plugin. SonarQube has deprecated the used APIs and now provides better support with their own 'branch-plugin' as part of the Developer Edition. – Johnnei Dec 29 '19 at 04:32
4

I was into same requirement and here is how I implemented,

Create a runner without specifying any tags and of shared type. Create a file .gitlab-ci.yml file with the following commands,

variables:
  SONAR_URL: "http://your_sonar_url"
  SONAR_LOGIN: "sonar_user_id"
  SONAR_PASSWORD: "sonar_password"

sonarqube_master_job:
  stage: test
  only:
    - master
  image: maven:3.3.9-jdk-8-alpine
  script:
    - mvn --batch-mode verify sonar:sonar -Dsonar.host.url=$SONAR_URL -Dsonar.login=$SONAR_LOGIN -Dsonar.password=$SONAR_PASSWORD

If you create runner with specific tags, then you need to mention the tags in the .gitlab-ci.yml file

you can get more information on adding tags in this link, https://forum.gitlab.com/t/activated-specific-runner-is-not-working/7002

Nithyananth
  • 329
  • 2
  • 5
  • 17
4

There could be a new alternative (to SonarQube) with GitLab 13.3 (August 2020)

It does not cover everything that SonarQube address, but can focus on the security side of the static code analysis, for multiple languages.

SAST security analyzers available for all

We want to help developers write better code and worry less about common security mistakes. Static Application Security Testing (SAST) helps prevent security vulnerabilities by allowing developers to easily identify common security issues as code is being committed and mitigate proactively. As part of our community stewardship commitment we have made all 15 of our open source based SAST analyzers available in every GitLab tier. This allows ALL GitLab users developing in any of our 18 supported languages and frameworks to leverage GitLab SAST in their projects.

Getting started is as easy as using our new guided SAST configuration experience, enabling Auto DevOps, or adding the SAST configuration template to your gitlab-ci.yml file. Customers not on the Ultimate tier can interact with generated SAST vulnerability report by downloading the SAST job artifact. We’ve also updated our docs with details about the tier breakdown for all our SAST features.

https://about.gitlab.com/images/13_3/sast-gitlab-languages.png -- SAST security analyzers available for all

See Documentation and Issue.

And (not free, as opposed to the previous section):

Guided SAST configuration experience

GitLab’s Static Application Security Testing (SAST) now supports a new guided configuration experience. Enabling SAST is now as simple as two clicks. We believe that security is a team effort and this configuration experience makes it easier for non-CI experts to get started with GitLab SAST. The tool helps a user create a merge request to enable SAST scanning while leveraging best configuration practices like using the GitLab-managed SAST.gitlab-ci.yml template and properly overriding template settings.

With GitLab SAST covering 18 languages across 14 analyzers, there are many SAST configuration options and it can be hard to understand and setup. This new guided SAST configuration experience helps anyone get started with SAST, and lays the foundation for us to introduce new configuration options like custom rulesets and more. We also intend to expand this guided experience to our other security scanning tools.

https://about.gitlab.com/images/13_3/SAST_Config_UI_13.3.png -- Guided SAST configuration experience

See Documentation and Issue.

See also GitLab 13.5 (October 2020)

Customizing SAST & Secret Detection rules

GitLab Static Application Security Testing (SAST) and Secret Detection now support customizing detection rules. This allows GitLab users to change the vulnerability detection defaults to tailor results to their organization’s preferences. SAST custom rulesets allow you to exclude rules and modify the behavior of existing rules. Secret Detection now supports disabling existing rules and adding new regex patterns that allow the detection of any type of custom secret.

Custom rulesets can be defined by adding a new file to the .gitlab folder named sast-ruleset.toml or secret-detection-ruleset.toml containing customizations written in the correct notation. You can learn more about this file format and see examples in our documentation for SAST custom rulesets and Secret Detection custom rulesets. We intend to provide additional support for importing custom rulesets in .gitlab-ci.yml files in the future.

https://about.gitlab.com/images/13_5/custom-rulesets-example-13.5.png -- Customizing SAST & Secret Detection rules

See Documentation and Epic.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
3

Below is how I did for a MVP.

.gitlab-ci.yml

stages:
 - sonarqube_test

sonarqube_test:
  tags:
  - your-tag-attached-to-gitlab-runner
  stage: sonarqube_test
  script:
  - .cicd/sonarqube.sh

sonarqube.sh file

#!/bin/bash
#
# Args: deploy.sh
#

cd ~

wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.3.0.1492-linux.zip

unzip sonar-scanner-cli-3.3.0.1492-linux.zip

rm sonar-scanner-cli-3.3.0.1492-linux.zip

chmod 777 sonar-scanner-3.3.0.1492-linux/conf/sonar-scanner.properties

echo 'sonar.host.url=http://<your_sonarqube_server_url>' >> sonar-scanner-3.3.0.1492-linux/conf/sonar-scanner.properties

chmod +x sonar-scanner-3.3.0.1492-linux/bin/sonar-scanner

sonar-scanner-3.3.0.1492-linux/bin/sonar-scanner \
  -Dsonar.projectKey=<project_name> \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://<your_sonarqube_server_url> \
  -Dsonar.login=<token_from_gitlab_UI>
rahuljain1311
  • 1,822
  • 19
  • 20
  • `wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.3.0.1492-linux.zip` This is now failing. You got any suggestions? `Connecting to binaries.sonarsource.com (binaries.sonarsource.com)|91.134.125.245|:443... failed: Connection refused.` – devil-0-per May 27 '20 at 05:21