Automated scan on new code -- How do I specify the quality gate for the first scan to use?

My organization has a shared set of steps that every build pipeline uses, including steps for SonarQube analysis. We have our default gate define the baseline requirements for all projects, and our shared steps ensure the code meets these requirements.

However, some teams would like to ensure that all their code always meets more stringent requirements beyond what is required by the default gate. This should include any new code/pipelines added for their team. Our shared steps have what is needed to determine the quality gate desired for a pipeline, and we would like to use this to ensure that SonarQube checks the code against the desired gate.

The challenge we are facing, is that when new projects come along and use our steps, they will end up in the default gate for the first run (and subsequent runs until we fix it).

We have considered manually creating the projects via API, assigning the quality gate, then letting the scan run, as I believe David has done in this thread, but there are some challenges with this:

• We don’t know for certain what the project key will be, since some projects use the build tool integration (e.g., Maven) to determine the project key. We could try to handle all these scenarios, but we would have to do it for each technology we use.
• Creating and setting up the projects in SonarQube ourselves with a script seems more complicated than it needs to be, considering there are SonarQube integrations and CLI available which will do it for us in the way that is currently most desirable.

I’ve searched the documentation and the internet for a property or some other way to specify what quality gate should be used on the first analysis, but all I have turned up is other people who have tried taking the brute-force scripted approach listed above.

Is there a way for me to specify this information via properties or other to the scanner? If there is no way, could this be added to the backlog in some way? If this feature has been considered, can you provide any more context around what’s been discussed?

We have tried to find a solution using SonarQube 10.0 deployed using Docker.

Hi,

I suppose onboarding the projects from the DevOps platform integration isn’t an option because of the project key question?

 
Ann

P.S. I’ve moved this thread to Product Manager for a Day since the functionality doesn’t currently exist.

@ganncamp I think that determining the project keys would be difficult for home-grown integration, but if there are compatible DevOps integrations that are smart enough to determine the project key for us and complete the on-boarding before the first scan, that would certainly be an option. We just don’t want to reinvent the wheel.

Do you have DevOps integrations in mind that can do this?

Hi,

It makes sense to me that project onboarding would (one day) be smart enough to recognize Maven, Gradle and .NET projects and proactively read their project keys. But today we don’t do that.

And, since I’ve moved this to the PM for a Day category, a Product Manager will presumably be along at some point.

And in the meantime… I don’t have good answers for you.

 
Ann

Quite a few companies seem to run into this problem, as new Projects are created dynamically via CI-CD tools, and there is a need to set Quality Gate for that project dynamically. This need has been around for a long time and I am surprised that this functionality is still unavailable.

Hello George,

Thank you for the insight.

We will investigate this opportunity further to have it available either via DevOPS integration or a config as code.

If we go with a config as code, would it be a problem to let developers set and edit the quality gate themselves?

Hi Ilham,

Thank you so much for taking a look at this. We are so excited that this could be available to us in upcoming releases!

The only concern we have with developers being able to set the quality gate themselves is that we have a “vulnerable code” quality gate which we do not want people to be able to use (have used it temporarily before in certain emergency situations). If developers can set it themselves, I think we’d maybe want some way to specify allowed quality gates for them (vs. admins in the admin panel), or else maybe a way for us to override what the developers have chosen in our pipeline steps.

Hopefully that makes sense. We’re happy to provide more details if it would help.

Thank you for the details.

We will come back to you if we need more information.

Is there any update on this ?

Hi @bharath_muppa,

Welcome to the community!

Sorry, there’s no update.

 
Ann

Pinging after almost one year later…
Do we have any solution now or in near future?

Hi @opsingh861,

Welcome to the community!

I’m not aware of any movement in this area.

 
Ann

Hey Ann

It’s sad that we still don’t have this feature in 2025. It would have been great to have this. Or maybe any other solution is also fine.

Thanks,
Aditya Dhanraj

Hi Aditya,

Since this first-scan-no-QG state is entirely transitory and should be very brief in most cases, can you explain why this is such a pressing need for you?

 
Thx,
Ann

Hi Ann,

Our CI/CD pipeline runs a SonarScanner task before the build. The first scan uses the default Quality Gate, which doesn’t match our custom Quality Gate (set to our organization’s standards). This allows the build to proceed and deploy an image that may not meet our quality standards. If we could assign our custom Quality Gate before the first scan, this issue would be avoided.

Thanks, Aditya

Hi Aditya,

You can certainly assign your custom Quality Gate immediately after the project is created. Are you creating projects on first analysis, or by importing them from your DevOps platform?

 
Ann

Hey Ann,

Yes on runtime it’s being created, there are so many teams so creating for everyone is quite challenging so we give them access to permission template and they can use the sonar token which will have access to the permission template. For eg: PROJ-AG.* (permission template)
Now you can create one project with this prefix PROJ-AG-GL (These all are hypothetical values)

Thanks,
Aditya Dhanraj

Hi,

This is a chicken-and-egg scenario. You’re creating the project on first analysis, so it doesn’t exist to be assigned to a Quality Gate. On the other hand:

It’s not clear why you haven’t made your custom Quality Gate the default.

 
Ann

In our case, different teams/areas have different requirements/gates to use for their applications, so a default gate does not help. We could have a separate SonarQube instance which has its own default, but this would be a lot more management and use and also makes it more difficult to change the gate on any given app (we would have to duplicate the gate configuration across instances).

We were thinking as far as configuring the gate “before” the scan, perhaps it could instead be configured during the scan, based on scan configuration set up beforehand (inputs to the scanning software, whether CLI or integration), so that when the project is created, it is created with a specific gate.

Totally agree with you, we also have same kind of case. Right now we are maintaining central instance of Sonarqube and whatever quality gate is applicable for team A is not applicable for team B. Like how ever we are giving source to scan as a parameter. We can just pass quality gate and quality profile in parameter and my new project will be scanned on the basis of these parameters.