Sonar Quality gate based on Security Vulnerabilities

Must-share information (formatted with Markdown):

  • 8.3.1 (SonarQube, Scanner, Plugin, and any relevant extension)
  • Azure DevOps Quality Gate controls based on Sonar Security Vulnerabilities

I’m looking for how to properly do this. I’ve written scripts to pull from the API “Critical” and “blockers” but it is mostly pulling things like Code Smells, and not exactly “Security” issues. What is the proper way to pull security only related issues from the API?

Welcome :slight_smile:

this quality gate condition seems to fit in !?


Value set to 0 means the quality gate won’t accept any vulnerability on new code.


and where is this setting located? Is it part of the ADO Module? If so, I know we currently aren’t using it, as our projects are very large, so we are using a PowerShell script to run a parallel loop on each of the projects to run scans simultaneously for faster scan times. Would there be a way to implement this via a script?

Seems i confused Sonarqube quality gate with ADO quality gate.
Never used Azure Devops pipelines.

The setting in the screenshot is a condition for a quality gate that is set on Sonarqube server.
Scanner will upload its data to Sonarqube server, Sonarqube CE engine evaluates it against the
conditions of the quality gate => quality gate status OK | ERROR

I guess it will work similar to Jenkins pipelines. Jenkins pipeline uses the waitForQualityGate() step to get the quality gate status.
From reading the docs Azure DevOps Server Integration | SonarQube Docs it seems you have to use
the Publish Quality Gate Result task to get similar behaviour in your pipeline.
Or did i understand incorrectly and you have another use case ?

So currently in our Azure Devops Pipeline, we are using a powershell script to handle the build of the project using MSBUILD, followed by executing the Sonar Scanner and Publishing the results. We have no issues doing this. What we are trying to do now, is fail the build pipeline if any security vulnerabilities are detected. Is this possible?