Enterprise level sonar profiles upgrade

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  SonarQube 9.9

• how is SonarQube deployed: zip, Docker, Helm
  Zip

• what are you trying to achieve
  Upgrade sonar profiles with latest rules request by our security team.
  We create the new profiles with latest rules successfully. But we have problem applying those new profiles. Our company have thousands of applications and sonar projects. We do not want to break our prod build pipelines which runs those sonar scans. We want to warn our users first and give them a few months time to fix their code issues under new profile. We want to ask app teams to run local scans with our test sonar servers which has the new profiles. But few teams are willing to do that. Is there any way we can start scans as sonar admin for each project based on the repo and branch info stored in sonar projects?

• what have you tried so far to achieve this

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hi,

Welcome to the community!

There’s no functionality to initiate analysis from the SonarQube side. That would have to happen on the CI side.

What some users in this “warn users and give them time to adjust” situation do is add the rules to the current default profiles at an Info severity. That way the issues show up, but they don’t break Quality Gates (and pipelines) yet. Then after some period of time, escalate the rule severities to where they belong.

 
HTH,
Ann