Add SonarQube quality gates to your Jenkins build pipeline
ฝัง
- เผยแพร่เมื่อ 4 ก.ค. 2024
- Automate your code quality by integrating SonarQube and Jenkins with the SonarQube Scanner Jenkins plugin!
SonarQube is an excellent tool for measuring code quality, using static analysis to find code smells, bugs, vulnerabilities, and poor test coverage. Rather than manually analysing the reports, why not automate the process by integrating SonarQube with your Jenkins continuous integration pipeline? This way, you can configure a quality gate based on your own requirements, ensuring bad code always fails the build.
You’ll learn exactly how to do that in this video, through a full worked example where we add SonarQube analysis and SonarQube quality gate stages to a Jenkins pipeline.
This video contains:
▶️Introduction 0:00
▶️Overview 0:18
▶️SonarQube & Jenkins 0:59
▶️Full worked example 2:40
▶️Running the pipelines 13:30
Here are some useful resources:
✅Here's the accompanying article outlining all the steps from this video jenkinshero.com/sonarqube-qua...
✅This GitHub repository has everything required to get the example from the video up and running fast. Jenkins in setup through configuration-as-code. Just need to follow the steps to setup SonarQube from the video github.com/tkgregory/sonarqub...
✅Here's the docs on the SonarQube Scanner Jenkins plugin - วิทยาศาสตร์และเทคโนโลยี
You are amazing Tom! That Webook was wild :)
Thank you, it was helpful, it give an overall idea how Jenkins and SonarQube can be integrated. I liked your teaching style.
Amazing video ! Thanks Tom !
Awesome work! It helped a ton! Congratulations
Thank you, Tom! Your video really helped me.
Thanks, It was very helpful, I was able to setup quality gates.
Really nice guy! Great teacher too! I'm subscribing!
Thank you so much, very helpful
Wow, this video was very timely-- I just set up SonarQube recently to scan some projects at work, and my next task is to set up Quality Gates in order to fail the pipeline. Thanks Tom!
Sounds like good timing then :) Glad it helped you
haha so funny, I did see you write webhook wrong and thought "ops, this will cause a road bump". Great video, caused an instant subscribe from me
Thanks! Making typos is one of my superpowers :)
so touching for an excellent video
excellent 🙏
You will also need to install Gradle and Junit plugins in your jenkins
thanks, it is worthy
Thanks
This is very cool simple to understand nicely explained.
Could you please please post video on how we can run selenium test cases and get the results as pass or fail to move ahead in pipeline like you did it with sonar scan
Cheers!
Nice video idea Milind. I added it to my ideas backlog :)
Hey Tom ! Always thankful for information, could you please tell whether is it possible to make an unstable build in Jenkins to stable/ success ? If possible in which way can I accomplish it …
Hi. I'm not really sure what you're asking for here.
That was great explanation. I have sonar scan and quality gate enabled using groovy in declarative pipeline. But I have some freestyle jobs for that sonar scan is enabled by installing plugin and add sonarqube execution in build section. How do I add quality gate in freestyle jobs?? Thanks in advance
Hey M Raj. That is a good question!
Once you have the SonarQube Scanner Jenkins plugin installed, in your job configuration you can click Add build step > Execute SonarQube Scanner. Here you can set various configurations.
I haven't used the plugin with freestyle projects before, but I don't think it allows you to wait for quality gate results. Please let me know how you get on.
Hi Tom, Great Video. How hard would it be to get this working on Red Hat OpenShift? I tried just running but it fails at the gradlew sonarqube line. It tries to download gradle but fails. Is there a recommended gradle plug-in I could download to Jenkins in advance and use?
Hi Kevin. I haven't used Red Hat OpenShift before, but imagine it's not too hard if you know what you're doing.
You can install Gradle on Jenkins up front, but you lose all the advantages of the Gradle Wrapper (Gradle version set by project etc.). If you want to do that you could try out the Gradle Jenkins plugin plugins.jenkins.io/gradle or if you have a custom Jenkins Docker image install Gradle on there.
Thanks for share! Do you know if there a way to insert the result report of Sonar inside of Jenkins? thx
Hi Luiz. What kind of information are you hoping to make available in Jenkins?
Most of the SonarQube report is held in SonarQube. Only minimal details are sent back to Jenkins in the webhook request (see details here docs.sonarqube.org/latest/project-administration/webhooks/). I think you'd have to write something custom to make any of this available to you in Jenkins.
But the SonarQube Scanner Jenkins plugin does add a link to the SonarQube project page from the Jenkins job page. Might that be good enough for you?
@@TomGregoryTech You are right!
Hi Tom ,Can you please explain how we can add sonarqube in build lifecycle
Hi Shraddha. Can you please describe what you're looking for that isn't covered by the video?
Hi Tom
Could you please explain how can we resolve pending background tasks error? In my case I got execution success rather than build success
Hi Manu. Can you give some more context please? Or send an email (address on website).
what if my project does not have gradlew, or if i want to use the same pipeline for different git repos, and only change the URL as needed ? is that even possible ? D:
Hi. 1) SonarQube support running the scanner directly as well as within other build tools such as Maven. 2) Look into shared libraries as a way to reuse the same Jenkins pipeline between repositories. Hope it helps.
@@TomGregoryTech i found a very messy way of doing this, by installing the scanner file directly inside the jenkins docker, and adding the .properties file on the git repo, with the keyID from sonar
now it works with whatever github link i set there ( thankfully )
but thanks for the explanation :p
Hello. I am unable to get the sonarqube gate way to fail in Jenkins. I see it failing in sonarqube but not in the Jenkins. Any idea what it could be?
Hi Bishop. What does the Jenkins job console output show under "Quality gate" stage?
@@TomGregoryTech Hey, I got it to work by adding the webhook directly to the Project in Sonarqube. For some reason it was unable to use the "global one".
As for your question, it was outputting "Quality gate is 'OK'", despite it not being 'OK' in Sonarqube.
If anyone else has the issue, I did this in Sonarqube:
Projects > Select the project > Project Settings Dropdown > Webhooks > (for me it was blank) Create > Name: Jenkins, URL: JENKINS_IP:8080/sonarqube-webhook
I should add, that I am running Jenkins and Sonarqube in each their own Docker containers.
Hello dear engineer
We established “a remote git server” and " a SonarQube community edition, Ver. 8.4" separately.
We also have Jenkins, Docker and Ansible.
We want before any pushing to a remote SCM, user committed new code be analyzed by SonarQube.
If the scan result and quality gates passed then new code pushed to the repository; Otherwise, give the appropriate message to the user and push action be canceled.
We almost realized can use the " pre-receive hook " or " update hook" in the remote git repository with following settings to connect to the relevant project in SonarQube:
-Dsonar.projectKey= ProjectKey
-Dsonar.projectName= ProjectName
-Dsonar.host.url= SonarQubeURL
-Dsonar.login= SonarQubeToken
-Dsonar.sources= SourcePath
-Dsonar.qualitygate.wait= true
Is using the above method a correct thing to do?
and the written settings are right and sufficient?!
Do you suggest a better solution?
Thank you very much for any help.
Best regards…
Hi Saeed. It depends on your branch setup as to what the best option is. If you're using feature branches you could perform SonarQube analysis on the branch before it gets merged to master, using Jenkins. This recent article might help tomgregory.com/sonarqube-branch-analysis/
: Error during SonarScanner execution
org.sonar.java.AnalysisException: Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property.
@ Tom gregory please help me
Hi. Did you try the example project? I just checked it and it's working. I think that would be a good starting point, as I don't know how your project that is producing the error is setup. github.com/tkgregory/sonarqube-jenkins-example