Quality gate condition on new code doesn't reflect in scanning

Hi, I configured my sonarqube new code to compared to a branch. My quality gate only has one condition, which checks if the security rating of new code is less than A. Theoretically, if the new code I add contains vulnerabilities, the scan should fail. However, the scan succeeds every time but the number of vulnerabilities in overall code is increasing. Why is this?


I am seeing some findings in MR scan but not new code. What’s the different between MR and new code? If I am merging everything to main and set the new code definition to comparing to main branch, will that result in not seeing anything in new code?

Hi,

Thanks for the screenshots of your New Code setting and your Quality Gate. Very helpful!

Could we also have a screenshot of your project / branch homepage showing a Vulnerability on New Code and a passing Quality Gate?

 
Ann

Hi thanks for replying. It is passing as expected. However, there is nothing in the new code section.


My guess is still that it’s because I’m merging everything to main branch and I’m using the main branch as the comparison base for new code so it shows no findings.

Hi,

Thanks for the screenshots!

Your New Code tab shows a ‘-’ for “Coverage on 0 New Lines to cover”, while under Duplications we see “3 New Lines”.

So apparently nothing changed in the branch requires coverage?

 
Ann

Coverage is not what concerned me. It’s the fact that there is no bugs, vulnerabilities or security hotspots count. But I think it is probably expected based on my configuration.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.