Quality gate configuration


I’m new working with SonarQube and I’m trying to configure a quality gate.
I know there is already a default quality gate (Sonar-Way) but it might be to generic.
Can someone share his own configuration so I can be inspired ?


Welcome :slight_smile:

What’s your Sonarqube version and edition (Community, Developer, Enterprise …) ?


the Community one

and what version ?

i’m using this image : 9.9.4-community

Sonarsource nowadays propagates an approach they call “Clean as you code” (CAYC).
The docs


With Clean as You Code, your focus is always on New code (code that has been added or changed according to your new code definition) and making sure the code you write today is clean and safe.

IMO this concept has a big flaw, what about greenfield projects starting from scratch !?
When only using “on new code” conditions, the initial analysis might have 1000 issues, but the quality gate will be green, because there’s no baseline.

This contradicts the DevSecops concept, security from the start (shift left).

So in your case, it depends if you want to analyze legacy projects or greeenfield projects.
For legacy projects you should use “on new code” conditions, whereas for new projects you should
use “on overall” conditions.

That’s my opinion, unfortunately i still have no answer to those questions