Creating and analyzing projects from Gitlab to SonarCloud

Hey all,

I’m working on an integration of SonarCloud into the Gitlab CI pipeline. Previously I was hosting the Sonar server myself, so the scanning looked like this:

  stage: security-testing
  image: sonarsource/sonar-scanner-cli:latest
    - /^release-.*$/
  needs: []
    # Defines the location of the analysis task cache
    # Tells git to fetch all the branches of the project, required by the analysis task
    GIT_DEPTH: "0"
    key: "${CI_JOB_NAME}"
      - .sonar/cache
    - sonar-scanner -Dsonar.projectKey=$CI_PROJECT_NAME -Dsonar.qualitygate.wait=true

The global variables contained the SONAR_HOST and SONAR_TOKEN values, everything was going fine.

Now, moving to the sonarcloud has been a little tricky. This is what I did:

  • Changed the URL to the sonarcloud and changed the token
  • Added the sonar.organization value to the CI file (at the end of the sonar-scanner command)
  • the project is not created under the organization and the error appears:
ERROR: Could not find a default branch to fall back on.

I’ve searched around in the forum, but I don’t really find a solution. I don’t want to define different tokens for different newly created repos. My workflow should be that any repository that is created in Gitlab with the inherited CI file, should be scanned and imported to the SonarCloud.

What am I doing wrong?

Hello @vilius,

Apologies for the delay in responding. Could you post the full scanner logs? You can redact any sensitive information.

Thanks for following up. The solution turned out to be onboarding the project to the SonarCloud. Launching the sonarscanner from gitlab onto the non-existing-on-the-cloud repo spits out the above error. When you add it manually, the error goes away.

Even though THIS particular problem is solved with a workaround I still have a question: what happens for the new project repos? Why should I need manual repo onboarding? I don’t wan to keep tabs what new repos development team is creating, all I care that they are scanned and report the results to the sonarscloud.
Any tips on this front?