which versions are you using (SonarQube 7.0, Command line Sonar Scanner )
What have I done? I have successfully integrated SonarQube with TFS and with LDAP.
What I need to do ? I am thinking if SonarQube could kick in before the developer could check in. Before he could check in, the SonarQube would be do the code analysis and if (configurable amount of rules) are applied, (say, 3 major Security Vulnerabilities are discovered), then that check in should be reject and should not become part of TFS code repo.
If there any way, I could do this.