Get vulnerabilty by GitlabCI

Must-share information (formatted with Markdown):
I just create a new job in my Gitlab to launch an analyze sonar of all my commits.
For now, I have two job, one with sonarscanner with maven and another with sonarscanner CLI

I want to put my job in failed if I have vulnerabilities in my code. But I can’t get an artifact in my job to see the analyze of sonar.

Is there anyone who knows how to get me to retrieve sonar analysis information from my commit. Or the differences with the last analysis

Thank you very much to any responses

Hi Ehanno,

This topic is well-covered in our docs. You can have your job wait to check the quality gate status and fail if the QG status is failed. Whether a vulnerability will fail your QG depends upon your specific QG criteria.

Hi @Jeff_Zapotoczny,

Thank you for you answer.

Maybe I didn’t cover all my interogation.
I want to know if we can do this with another scan than the last one.
Because with the quality gate we compare with our latest analyze. But it is possible if I want compare with a specific analyze thath is not the last one ?

I’m not sure I understand why you’d want to get an analysis result for an old analysis dynamically in GitLab CI. Let’s assume I don’t need to understand your use case. You might want to look at our web API, specifically api/project_analyses/search, which can be used to return prior quality gate results from earlier commits/analyses.

I hope this helps.

Thanks, yes I think that will help me

The use case it’s to compare analyze from devolpment branches with analyze of master branch.

Hello @Jeff_Zapotoczny,

I try to use the qualitygate filter with gitlab. There is my .yaml

  stage: security
    name: $DOCKER_REPO_REGISTRY/sonarsource/sonar-scanner-cli:4.5
    entrypoint: [""]
    - sonar-scanner -Dsonar.quality.wait=true -Dsonar.projectVersion=$BRANCH_VERSION
  allow_failure: true

But job passed anyway even if in sonar my qualitygate says failed.

Is there a special configuration to do?

I’m in version 7.9.4 of SonarQube and 12.10.6 of GitLab (community edition)


This is because you need to tell your gitlab pipeline to not allow failure.

Change this to false.

I’m not sure if you’ll succeed; we didn’t introduce GitLab CI support until SonarQube 8. But I believe the functionality here mostly depends upon the sonar-scanner CLI, and you appear to be running the latest, so try it anyhow.