Importing external report without triggering Quality Gates

  • Community Edition, Version 9.9.3 (build 79811)
  • SonarQube Scanner for Jenkins, Version2.17.2

Im adding support for scanning in our Jenkins Shared Library. In this library we use Trivy to scan for vulnerabilities and OWASP for dependencies. We let these tools take care of any failing of the pipeline but we would like to add the generated reports to Sonarqube for documentation. I have tried to find any information on how to accomplish this. The only suggestion that I found was using the option sonar.analysis.mode but that doesn’t exist any more…

I think I could change the Quality Gate but I would like to find another solution since that would add to the maintenance burden (having two profiles…)

Any suggestions


Welcome to the community!

There’s a Dependency Check plugin in the SonarQube marketplace, and it looks like Trivy supports SARIF, which we import.

So your process would be to run Trivy and generate a SARIF report, then feed that report into your SonarQube analysis, which will include the Dependency Check scan because you’ve got the plugin installed and configured.



Im sorry for the confusion. I see that my question can be misunderstood. I do use the Dependency-check plugin and Trivy to scan for dependencies and vulnerabilities. I do import them into Sonarqube, so far it all works as I want :slight_smile:

But Quality Gate checks kicks in based on these reports! Since I use the external tools to fail the build and just wan’t Sonarqube to fail only for issues in the code… (I just want to import the reports for a convenient way to present them) So the question is, can I import reports from external tools without triggering The Quality Gate rules?

I hope this clarifies my question…

Sincerely Thomas

Hi Thomas,

Do you want the Quality Gate to ever fail the build?

Because there’s no good way to separate out the issues by origin and fail the Quality Gate for some and not others.

I think the cleanest thing to do here is to not fail the build directly from these external tools, and let the consolidated Quality Gate handle it for all of them.

Does that help?


Thats the route I have to take but suppressing vulnerabilities is so much easier in Trivy and I don’t want to do it twice… but there seems to be no other solution

I do wan’t Sonarqube to fail for everything except the issues from external tools, specifically vulnerabilities. There was a way to do it but that was taken away (hopefully for good reasons :smiley:), the option sonar.analysis.mode=preview. I think it would do it, it came up when i searched the ‘World Wide Waste…’

Thanks for your answer and suggestion.