I would like to have the following, wondering if it is possible from the implementation side.
I want Sonar to have a custom quality gate. For instance - this gate will look for string ‘1234’ in the code.
Once it will find it, it will fail the scan and fail the CI.
I want it to be presented as failed in my bitbucket.
is it possible with the community edition to write custom gates ? how ?
Let’s assume that i am using latest community edition of sonar.
Welcome to the community!
There are a couple pieces here. I’m going to start with the easy bits:
Can I have a custom Quality Gate?
Yes, of course! You can have as many Quality Gates as you want. Then either set your custom QG as the default, or explicitly assign your project(s) of interest to it to have it applied at the next analysis.
Can I fail the build when the QG fails?
Probably. I’m not familiar enough with Bitbucket (okay, I’m not familiar at all) to say for sure. If this works for you it will be with the use of a Webhook. Webhooks allow you to have SonarQube notify other systems after project analysis with the current QG status and any failing conditions. So if you can make your Bitbucket pipeline wait for the (asynchronous!) webhook notification, parse its payload and act on the results then you can make this work. The Jenkins documentation might be helpful here.
Can I have a condition in my Quality Gate that looks for a string such as “1234” in the code?
Weeeeell… First, you’re probably going to need a custom rule for that. Not all languages support that. But let’s assume you’re able to implement a custom rule that looks for your string of interest. Now you have a rule that raises an issue when “1234” is present in the code. But you can’t set a QG condition against a rule. What you can do is set a condition against a metric. So if you add your custom rule to your Quality Profile as a Blocker, and then set a QG condition on Blocker issues, you could make this work.