Skip to content

SonarQube Scanning in CI/CD

SonarQube analysis runs automatically in every pipeline during the test stage.

How It Works

  1. Pipeline triggers — on every push to any branch
  2. SonarQube scanner runs in the test stage
  3. Results uploaded to the SonarQube server
  4. Quality Gate evaluated — pass or fail

Pipeline Job

The sonarqube job in .gitlab-ci.yml:

sonarqube:
  stage: test
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  script:
    - sonar-scanner
      -Dsonar.projectKey=$SONAR_PROJECT_KEY
      -Dsonar.host.url=$SONAR_HOST_URL
      -Dsonar.token=$SONAR_TOKEN
  tags:
    - small

Configuration

Each project has a sonar-project.properties file in its root:

sonar.projectKey=orchestrator-server
sonar.sources=src
sonar.tests=tests
sonar.python.coverage.reportPaths=coverage.xml

Viewing Results

  1. After the pipeline completes, open SonarQube
  2. Navigate to your project
  3. The latest analysis shows new issues introduced by your branch

Quality Gate Failures

If the quality gate fails:

  1. Check the pipeline job log for a summary
  2. Open SonarQube and look at the New Code tab
  3. Fix the reported issues (bugs, vulnerabilities, code smells)
  4. Push a new commit — the pipeline will re-analyze

Branch Analysis

  • main branch: Full analysis, quality gate enforced
  • Feature branches: Analyzes only new/changed code compared to main
  • MR decoration: SonarQube posts findings as comments on the MR (if configured)