Versions
-
SonarQube Server: Enterprise Edition (self-hosted)
-
SonarQube Scanner: CLI / Maven (to be confirmed based on repo type)
-
Deployment: Helm (Kubernetes)
What We Are Trying to Achieve
We are trying to run SonarQube code analysis for repositories hosted in Palantir Foundry’s Jemma CI environment. The goal is to trigger a SonarScanner during a Jemma build job and report results back to our self-hosted SonarQube Server instance on a private BPX network.
What We Have Tried / Investigated So Far
Palantir Foundry’s standard external integration path is through an “Outbound Application” in their Data Connection module, which requires an OAuth 2.0 server connection (Authorization page URL + Token endpoint URL). After investigation, we confirmed that SonarQube does not act as an OAuth 2.0 authorization server and cannot natively expose those endpoints. We also explored using Azure AD as an intermediary OAuth provider, but confirmed SonarQube’s API does not validate Azure AD-issued JWTs. The SonarQube vendor confirmed that Path 2 - running the scanner directly inside the CI job via shell or Docker - is the recommended workaround.
Our Questions
-
Has anyone successfully run the SonarScanner inside a Palantir Jemma CI job - either via a shell command or a custom Docker container build step?
-
Can Jemma execute the scanner without routing through Foundry’s OAuth Data Connection layer?
-
Are there any reference examples or best practices for securely injecting
SONAR_TOKENandSONAR_HOST_URLas environment variables in a Jemma pipeline, particularly where the SonarQube instance is on a private network?