Packmind Cloud Changelog Get support Join Slack

SonarQube Integration

PreviousRun with Docker NextRun in Gitlab CI

Last updated 4 months ago

Was this helpful?

SonarQube Integration

The SonarQube integration makes it possible to include in the SonarQube dashboard results from the source code analysis by Packmind. We use the feature "" for that, allowing external issues to be integrated into the SonarQube reports.

This page introduces how to use the Packmind CLI to generate a report that SonarQube will ingest.

We didn't develop a classic plugin for SonarQube since this approach is more appropriate with a pre-defined set of coding rules. Packmind does not work like this, as each customer will create its own set of coding standards.

There are some limitations to this mechanism, according to the SonarQube documentation:

You can't manage them within SonarQube. For example, you can't mark them as false positives. But you can change the issue type (Bug, Vulnerability, Code Smell) or the severity (Minor, ...).
You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.

Integration

The key concept is simple: you can use either the Docker/Npm/Maven version of the Packmind CLI to generate one or multiple output files using the sonarqube formatter (check the CLI options).

Then, the Sonar Scanner CLI must ingest the output files using the argument:

-Dsonar.externalIssuesReportPaths=<your_path>

With the Npm/Docker CLI

stages:
    - packmind
    - sonarqube

# Assume PACKMIND_API_KEY is set as CI/CD Variables
packmind-detect:
  stage: packmind
  image:
    name: promyze/packmind-cli:latest
    entrypoint: [""]
  artifacts:
    paths:
      - packmind-scan.json
  script:
    - packmind-scanner scan . --formatters=console,sonarqube --output=packmind-scan.json

# Assume SONAR_HOST_URL and SONAR_LOGIN are set as CI/CD Variables
sonarqube-scan:
  stage: sonarqube
  image:
    name: sonarsource/sonar-scanner-cli:latest
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  
  cache:
    key: ${CI_COMMIT_REF_SLUG}
    paths:
      - packmind-scan.json
  allow_failure: true
  script:
    - sonar-scanner -Dsonar.projectKey=your-key -Dsonar.qualitygate.wait=true -Dsonar.externalIssuesReportPaths=packmind-scan.json
```

More suggestions?