which versions are you using (SonarQube 7.0, Command line Sonar Scanner )
What have I done? I have successfully integrated SonarQube with TFS and with LDAP.
What I need to do ? I am thinking if SonarQube could kick in before the developer could check in. Before he could check in, the SonarQube would be do the code analysis and if (configurable amount of rules) are applied, (say, 3 major Security Vulnerabilities are discovered), then that check in should be reject and should not become part of TFS code repo.
It sounds like you’re looking for branch/PR analysis. That’s available starting in Developer Edition. You can then block merge based on the status of the PR.
Currently you get a red/green status on PRs and short-lived branches based purely on the count of open issues. Hopefully in 7.6 we’ll be able to deliver real quality gates.
BTW, you’ll want to upgrade to the most recent version of SonarQube at the same time to get the best experience.