Configuration-as-code (for SonarQube and SonarCloud)

Suggestion: Allow the quality profiles and quality gate to be configured in code, in a flexible manner.

For example, we could have a file sonar-config.yml, like this:

sonar-config:
  new-code:
    since_days: 1
  branches:
    long_lived_pattern: "(master|main|develop|(release-.+))"
    main_branch: develop
  profile:
    initial: INCLUDE_ALL
    exclude:
      tags: [deprecated, convention, test_coverage]
      source: [!SonarSource]
      rules: [S5612, S121, S1774]
  gate:
    security_hotspots_reviewed:
      min: 100%
    vulnerabilities:
      max: 0
    defects:
      max: 0
    severity_blocker:
      max: 0
    severity_critical:
      max: 0
    maintainability_rating:
      at_least: A

This would create a quality gate and associate it with this specific repository, and it would create as many quality profiles for this repository as required (based on the languages used in the code), etc.

Benefits of this approach:

  • no need to do manual configuration of quality gates and quality profiles
  • configuration can be copied easily between repositories
  • configuration can be changed automatically (using a bot on the git repository) based on the results from SonarQube/SonarCloud (main use case: status quo quality gates)
  • all the regular benefits of xxx-as-code
  • when there is a SonarQube upgrade (e.g. more rules, or deprecation of existing rules), then the appropriate rules get activated or deactivated automatically – no manual intervention required

Thanks for the suggestion @znerd.
More generally, we are tracking the topic of setting up the analysis configuration close to the code. It’s not planned at short term but we are monitoring the requests.

Having centralized Quality Profile and Quality Gate definition help ensure the different projects meet the same quality and security standards.
Do you feel the need to configure the definition for the profiles and gate directly in code, or just to choose the ones to be applied to the project?

Chris

This is a great feature giving visibility to teams right in the code rather than doing a back and forth from sonarqube UI to understand what all qualilty profiles have been set and gives an ability to toggle profiles for off cases where it needs to be relaxed.

1 Like

Do you feel the need to configure the definition for the profiles and gate directly in code, or just to choose the ones to be applied to the project?

Directly in the code would be more appropriate in most of my use cases (client projects), but I can also see the case for doing the quality configuration management inside the SonarQube/SonarCloud platform.

Hey,

Waiting for this to be a native feature of Sonar, you may have a look at the sonar-config tool part of the sonar-tools python package.
Feedback is welcome.

Olivier

Disclaimer, I contributed to the below project.

A possible solution to this problem, while there isn’t an officially supported tool, is to use the community terraform provider: rewe-digital/sonarcloud. It was updated earlier today to support Quality Gates alongside its existing project and user management support.

I think terraform is a pretty nice solution for this type of project. Being able to plan changes to see what is going to occur is definitely a huge time saver. Do note that this provider is not the best at checking values during plan time so there will be errors that are not caught during the plan step.