What versions are you using (SonarQube Server/Community Build, Scanner, Plugin, and any relevant extensions)?
Answer: We are currently using SonarQube Community Edition 10.4, installed in a local, internet-exposed environment using ngrok for initial testing.
The scan is run using SonarScanner CLI v5.0.1.3006 in GitLab CI/CD pipelines.
No additional plugins are being used, as the Community Edition does not allow native integration with GitLab, but manual configurations have been made to compensate for this limitation.
How is SonarQube deployed: zip, Docker, Helm?
Answer: SonarQube was installed on a Windows operating system using the official ZIP package distributed by SonarSource.
To expose the local environment to the outside world, ngrok is being used, allowing GitLab runners to access SonarQube during integration testing.
What are you trying to achieve?
Answer: The main objective is to integrate SonarQube with GitLab CI/CD to automatically run static code analysis on each merge request or push, and to condition pipeline progress on meeting certain defined quality gates.
We seek to improve control over coding errors, security vulnerabilities, and unsafe practices in projects developed by the technical team.
What have you tried so far to achieve this?
Answer:
SonarQube Community Edition was manually installed locally.
A sonar-project.properties file was configured in the project repository to define the analysis parameters.
A sonar-analysis stage was added to the .gitlab-ci.yml file by running sonar-scanner targeting the public endpoint exposed by ngrok.
A SONAR_TOKEN authentication token generated from SonarQube was used for the analysis.
An attempt was made to condition the pipeline to the results of the Quality Gates by validating the sonar-scanner results.