Gitlab integration with SonarQube

Question

I am pretty new to Development community and specifically to DevOps practices , as a part of project we are trying to integrate SonarQube with Gitlab , did some R& D on Sona

Answer 1

There could be a new alternative (to SonarQube) with GitLab 13.3 (August 2020)

It does not cover everything that SonarQube address, but can focus on the security side of the static code analysis, for multiple languages.

SAST security analyzers available for all

We want to help developers write better code and worry less about common security mistakes. Static Application Security Testing (SAST) helps prevent security vulnerabilities by allowing developers to easily identify common security issues as code is being committed and mitigate proactively. As part of our community stewardship commitment we have made all 15 of our open source based SAST analyzers available in every GitLab tier. This allows ALL GitLab users developing in any of our 18 supported languages and frameworks to leverage GitLab SAST in their projects.

Getting started is as easy as using our new guided SAST configuration experience, enabling Auto DevOps, or adding the SAST configuration template to your gitlab-ci.yml file. Customers not on the Ultimate tier can interact with generated SAST vulnerability report by downloading the SAST job artifact. We’ve also updated our docs with details about the tier breakdown for all our SAST features.

See Documentation and Issue.

And (not free, as opposed to the previous section):

Guided SAST configuration experience

GitLab’s Static Application Security Testing (SAST) now supports a new guided configuration experience. Enabling SAST is now as simple as two clicks. We believe that security is a team effort and this configuration experience makes it easier for non-CI experts to get started with GitLab SAST. The tool helps a user create a merge request to enable SAST scanning while leveraging best configuration practices like using the GitLab-managed SAST.gitlab-ci.yml template and properly overriding template settings.

With GitLab SAST covering 18 languages across 14 analyzers, there are many SAST configuration options and it can be hard to understand and setup. This new guided SAST configuration experience helps anyone get started with SAST, and lays the foundation for us to introduce new configuration options like custom rulesets and more. We also intend to expand this guided experience to our other security scanning tools.

See Documentation and Issue.

---

See also GitLab 13.5 (October 2020)

Customizing SAST & Secret Detection rules

GitLab Static Application Security Testing (SAST) and Secret Detection now support customizing detection rules. This allows GitLab users to change the vulnerability detection defaults to tailor results to their organization’s preferences. SAST custom rulesets allow you to exclude rules and modify the behavior of existing rules. Secret Detection now supports disabling existing rules and adding new regex patterns that allow the detection of any type of custom secret.

Custom rulesets can be defined by adding a new file to the .gitlab folder named sast-ruleset.toml or secret-detection-ruleset.toml containing customizations written in the correct notation. You can learn more about this file format and see examples in our documentation for SAST custom rulesets and Secret Detection custom rulesets. We intend to provide additional support for importing custom rulesets in .gitlab-ci.yml files in the future.

See Documentation and Epic.

Answer 2

Currently there are (as far I am aware) two community driven plugins which aim to provide MR-analysis/integrate with GitLab.

Both of them are currently going through the Feedback phase for their next release and both aim to land into the Update Center with that release.

• (No longer supported due deprecations in SonarQube) https://git.johnnei.org/Johnnei/sonar-gitlab-plugin | RFF for 0.2.0
• https://gitlab.talanlabs.com/gabriel-allaigre/sonar-gitlab-plugin | RFF for 2.0.0

With both you're able to run a build which will provide comments in GitLab with the newly found violations. Both are highly inspired by SonarSource's GitHub plugin.

However I'm not in the position to advise you on which of the two to use as I'm the developer the first and thus biased.

Answer 3

Below is how I did for a MVP.

.gitlab-ci.yml

stages:
 - sonarqube_test

sonarqube_test:
  tags:
  - your-tag-attached-to-gitlab-runner
  stage: sonarqube_test
  script:
  - .cicd/sonarqube.sh

sonarqube.sh file

#!/bin/bash
#
# Args: deploy.sh
#

cd ~

wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.3.0.1492-linux.zip

unzip sonar-scanner-cli-3.3.0.1492-linux.zip

rm sonar-scanner-cli-3.3.0.1492-linux.zip

chmod 777 sonar-scanner-3.3.0.1492-linux/conf/sonar-scanner.properties

echo 'sonar.host.url=http://<your_sonarqube_server_url>' >> sonar-scanner-3.3.0.1492-linux/conf/sonar-scanner.properties

chmod +x sonar-scanner-3.3.0.1492-linux/bin/sonar-scanner

sonar-scanner-3.3.0.1492-linux/bin/sonar-scanner \
  -Dsonar.projectKey=<project_name> \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://<your_sonarqube_server_url> \
  -Dsonar.login=<token_from_gitlab_UI>

Answer 4

I was into same requirement and here is how I implemented,

Create a runner without specifying any tags and of shared type. Create a file .gitlab-ci.yml file with the following commands,

variables:
  SONAR_URL: "http://your_sonar_url"
  SONAR_LOGIN: "sonar_user_id"
  SONAR_PASSWORD: "sonar_password"

sonarqube_master_job:
  stage: test
  only:
    - master
  image: maven:3.3.9-jdk-8-alpine
  script:
    - mvn --batch-mode verify sonar:sonar -Dsonar.host.url=$SONAR_URL -Dsonar.login=$SONAR_LOGIN -Dsonar.password=$SONAR_PASSWORD

If you create runner with specific tags, then you need to mention the tags in the .gitlab-ci.yml file

you can get more information on adding tags in this link, https://forum.gitlab.com/t/activated-specific-runner-is-not-working/7002

Answer 5

you don't really need a plugin. make something like this in your .gitlab-ci.yml

stages: 
- build 
build_master:
  image: maven
  stage: build
  artifacts:
    paths:
    - target/*.jar
  script:
  - mvn package sonar:sonar -Dsonar.host.url=https://sonar.yourdomain.tld/ 
  only:
  - master

and every master push will be tested! (this is for a Java project...)