Using SonarQube 8.6 EE
PR Decoration configured and working, using GitHub.
I have a small collection of “commons” maven projects that are used as dependencies in our 80 or so “production” projects. Thus, I take the view that a commons vulnerability or security hotspot can have a big impact downstream and have adjusted the quality gates used by these specific projects to add “Conditions on overall code”.
The result is that I see builds of main and branches that are failing the Quality Gate. But the Quality Gate is not failing in the PR itself:
The problem is that the PR decoration is so pretty that the developers are only looking at things in GitHub and addressing specific items that are failing. That’s great in one respect… the end result is that PRs are getting all code smells fixed even when the QG is passing. But it means that the devs are not seeing in GitHub that there is an underlying problem that must be looked at.
Is there anything that can be done about this? Is this a shortfall in PR decoration implementation, or have I maybe done something wrong?