Configuration-as-code (for SonarQube and SonarCloud)

Suggestion: Allow the quality profiles and quality gate to be configured in code, in a flexible manner.

For example, we could have a file sonar-config.yml, like this:

sonar-config:
  new-code:
    since_days: 1
  branches:
    long_lived_pattern: "(master|main|develop|(release-.+))"
    main_branch: develop
  profile:
    initial: INCLUDE_ALL
    exclude:
      tags: [deprecated, convention, test_coverage]
      source: [!SonarSource]
      rules: [S5612, S121, S1774]
  gate:
    security_hotspots_reviewed:
      min: 100%
    vulnerabilities:
      max: 0
    defects:
      max: 0
    severity_blocker:
      max: 0
    severity_critical:
      max: 0
    maintainability_rating:
      at_least: A

This would create a quality gate and associate it with this specific repository, and it would create as many quality profiles for this repository as required (based on the languages used in the code), etc.

Benefits of this approach:

  • no need to do manual configuration of quality gates and quality profiles
  • configuration can be copied easily between repositories
  • configuration can be changed automatically (using a bot on the git repository) based on the results from SonarQube/SonarCloud (main use case: status quo quality gates)
  • all the regular benefits of xxx-as-code
  • when there is a SonarQube upgrade (e.g. more rules, or deprecation of existing rules), then the appropriate rules get activated or deactivated automatically – no manual intervention required

Thanks for the suggestion @znerd.
More generally, we are tracking the topic of setting up the analysis configuration close to the code. It’s not planned at short term but we are monitoring the requests.

Having centralized Quality Profile and Quality Gate definition help ensure the different projects meet the same quality and security standards.
Do you feel the need to configure the definition for the profiles and gate directly in code, or just to choose the ones to be applied to the project?

Chris

This is a great feature giving visibility to teams right in the code rather than doing a back and forth from sonarqube UI to understand what all qualilty profiles have been set and gives an ability to toggle profiles for off cases where it needs to be relaxed.