A few questions from an evaluation of SonarQube

Hi there,
We are currently evaluating SonarQube for our developers and they had a couple of questions. I was hoping that someone may be able to shed some light on some answers. Thanks in advance.

How to easily re-test within the GUI? Or does this always need to be done via Command Prompt?

How to add / remove rules?

What dictates Pass, Failure etc…?

Is higher level reporting available, e.g. encompass review of all projects to see common vulnerabilities / hotspots etc.?

Ability to export reports to file?

Can User setup be configured by user / team – only see your / your teams checks


o How often?

o Where do the updates come from? OWASP etc.?

Ability to integrate with GitLab / PITSS etc….

o Scan project from GitLab?


Welcome to the community!

Generally, we try to keep it to one question per thread. Otherwise things get messy fast. So if you have followups, you’ll need to split them off into new threads. And I’ll address your laundry list here. :slight_smile:

I guess you mean that after you’ve applied some configuration change, can you see the effect without re-analysis? Sorry, no.

Here are the docs.

You do! :smiley:

You can see all issues in the instance at the top-level Issues page. From the facets on that page you can get counts per rule, per type & so on. You may also be interested in Portfolios, which are a feature of Enterprise Edition($$)

There’s a community plugin for that (CNES Reports IIRC). Nothing native.

Not following. You probably need to open a new thread to explore this one.

I guess you mean of SonarQube itself…?
SonarQube is released every ~2mo.
Each new release adds rules in one or more languages. We get rule ideas from many sources, OWASP among them.

You can certainly check out and analyze GitLab projects. Developer Edition($) also supports analysis and decoration of Merge Requests.


Wow, thanks for the reply. That’s really helpful and sorry for the faux pas on asking too many questions at once.

1 Like