Automated scan on new code -- How do I specify the quality gate for the first scan to use?

George_Snyder_Fedins · July 11, 2023, 5:29pm

My organization has a shared set of steps that every build pipeline uses, including steps for SonarQube analysis. We have our default gate define the baseline requirements for all projects, and our shared steps ensure the code meets these requirements.

However, some teams would like to ensure that all their code always meets more stringent requirements beyond what is required by the default gate. This should include any new code/pipelines added for their team. Our shared steps have what is needed to determine the quality gate desired for a pipeline, and we would like to use this to ensure that SonarQube checks the code against the desired gate.

The challenge we are facing, is that when new projects come along and use our steps, they will end up in the default gate for the first run (and subsequent runs until we fix it).

We have considered manually creating the projects via API, assigning the quality gate, then letting the scan run, as I believe David has done in this thread, but there are some challenges with this:

We don’t know for certain what the project key will be, since some projects use the build tool integration (e.g., Maven) to determine the project key. We could try to handle all these scenarios, but we would have to do it for each technology we use.
Creating and setting up the projects in SonarQube ourselves with a script seems more complicated than it needs to be, considering there are SonarQube integrations and CLI available which will do it for us in the way that is currently most desirable.

I’ve searched the documentation and the internet for a property or some other way to specify what quality gate should be used on the first analysis, but all I have turned up is other people who have tried taking the brute-force scripted approach listed above.

Is there a way for me to specify this information via properties or other to the scanner? If there is no way, could this be added to the backlog in some way? If this feature has been considered, can you provide any more context around what’s been discussed?

We have tried to find a solution using SonarQube 10.0 deployed using Docker.

ganncamp · July 12, 2023, 5:37pm

Hi,

I suppose onboarding the projects from the DevOps platform integration isn’t an option because of the project key question?

Ann

P.S. I’ve moved this thread to Product Manager for a Day since the functionality doesn’t currently exist.

George_Snyder_Fedins · July 12, 2023, 5:53pm

@ganncamp I think that determining the project keys would be difficult for home-grown integration, but if there are compatible DevOps integrations that are smart enough to determine the project key for us and complete the on-boarding before the first scan, that would certainly be an option. We just don’t want to reinvent the wheel.

Do you have DevOps integrations in mind that can do this?

ganncamp · July 12, 2023, 6:32pm

Hi,

It makes sense to me that project onboarding would (one day) be smart enough to recognize Maven, Gradle and .NET projects and proactively read their project keys. But today we don’t do that.

And, since I’ve moved this to the PM for a Day category, a Product Manager will presumably be along at some point.

And in the meantime… I don’t have good answers for you.

Ann

Konstantin_Zavgorodn · October 19, 2023, 8:54pm

Quite a few companies seem to run into this problem, as new Projects are created dynamically via CI-CD tools, and there is a need to set Quality Gate for that project dynamically. This need has been around for a long time and I am surprised that this functionality is still unavailable.

Ilham · November 13, 2023, 9:11am

Hello George,

Thank you for the insight.

We will investigate this opportunity further to have it available either via DevOPS integration or a config as code.

If we go with a config as code, would it be a problem to let developers set and edit the quality gate themselves?

George_Snyder_Fedins · November 13, 2023, 3:08pm

Hi Ilham,

Thank you so much for taking a look at this. We are so excited that this could be available to us in upcoming releases!

The only concern we have with developers being able to set the quality gate themselves is that we have a “vulnerable code” quality gate which we do not want people to be able to use (have used it temporarily before in certain emergency situations). If developers can set it themselves, I think we’d maybe want some way to specify allowed quality gates for them (vs. admins in the admin panel), or else maybe a way for us to override what the developers have chosen in our pipeline steps.

Hopefully that makes sense. We’re happy to provide more details if it would help.

Ilham · November 14, 2023, 8:38am

Thank you for the details.

We will come back to you if we need more information.