- The version of SonarQube: 18.104.22.168792. This has 2 questions:
- Is there a way to allow global/enterprise policy to be set in Quality Gate that cannot be bypassed?
- Is there a way to configure sonarqube to not flag new issues being detected by a new rule until a grace period? For example, a new rule which is flagging the word ‘password is here’ appears and the quality gate fails. Is there a way to show the new issues being flagged by this new rule but not actually failing the quality gate may be till 15 days (from when the rule is created)?
This is the point of a Quality Gate – the set of standards that must be adhered to in order for code to be shippable. Is there something that makes you think they can be bypassed?
Can you explain why this would be favorable? It would be pretty bad if a password was merged into
master the day before a release… but doesn’t fail the quality gate until 15 days later.
I’m talking about the policy that shouldn’t be bypassed. There can be different policies that are configured. But if we select a company level policy, the users shouldn’t be able to override that policy.
I’m not talking about a password rule, but that’s just an example. Password rules should have been implemented well before (technically). It’s just about giving the teams time to address the new rule issues so as to not block them if the new rule came in a day before release.
It sounds like you’re asking for a concept of inheritance in Quality Gates (where a parent Quality Gate has the standards that must be adhered to, and additional ones can be added in Quality Gates that extend from this).
While this is possible for Quality Profiles, such a concept doesn’t exist for Quality Gate.
SonarQube does its best to backdate existing issues so that when new rules are introduced or rules changed, the issue creation date is set to the date the line last changed, so it shouldn’t pollute the New Code Period. By default, Quality Gates focus exclusively on New Code.
You can read more about issue backdating here.