Integrating SonarQube Code Scanning with GitLab Commit Status

First, install a SonarQube server and then download and install the Sonar‑scanner tool.

Scanner download link: https://docs.sonarqube.org/7.9/analysis/scan/sonarscanner/

sonar-scanner \
-Dsonar.projectKey=microservicecicd-demo-service \
-Dsonar.projectName=microservicecicd-demo-service \
-Dsonar.projectVersion=1.1.1 \
-Dsonar.ws.timeout=30 \
-Dsonar.projectDescription="xxxxxxx" \
-Dsonar.links.homepage=http://www.baidu.com \
-Dsonar.sources=src \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.java.binaries=target/classes \
-Dsonar.java.test.binaries=target/test-classes \
-Dsonar.java.surefire.report=target/surefire-reports \
-Dsonar.host.url="http://sonar.idevops.site" \
-Dsonar.login=7c7b5f890dcb3c0ddf6d187fe47a8482f3430c74 \

Result of the scan is shown below:

Linking Scan Results to Git Commit

Install the Sonar‑GitLab plugin (download from https://github.com/gabrie-allaigre/sonar-gitlab-plugin/tree/4.1.0‑SNAPSHOT), place the JAR in SonarQube’s plugin directory, grant execution permissions, and restart SonarQube.

Key plugin property -Dsonar.gitlab.failure_notification_mode can be set to commit-status to update commit status, or nothing to take no action.

-Dsonar.gitlab.commit_sha=d0f7c74a058df8e935f1e247a68ac23d7d864295 \
-Dsonar.gitlab.ref_name=master \
-Dsonar.gitlab.project_id=39 \
-Dsonar.dynamicAnalysis=reuseReports \
-Dsonar.gitlab.failure_notification_mode=commit-status \
-Dsonar.gitlab.url=http://gitlab.idevops.site \
-Dsonar.gitlab.user_token=ABtkz-f_zkyRXAMeBZSc \
-Dsonar.gitlab.api_version=v4

commit_sha: GitLab commit ID

ref_name: GitLab branch name

project_id: GitLab project ID

dynamicAnalysis: fixed value reuseReports

Effect of the configuration:

The plugin updates the pipeline status of the corresponding commit ID, allowing GitLab merge requests to be merged only after a successful pipeline, thereby enforcing quality gates based on SonarQube analysis.