Integrate SonarQube Server into CI/CD

 

What is SonarQube Server?

SonarQube is a very popular static analysis tool that scans code for quality and security issues. SonarQube has community and commercial versions with a wide range of support for various coding languages.

This Uleska Platform integrates with your instance of SonarQube Community or Professional editions by setting up a connection to your instance of SonarQube and scanning your source code with it to return security vulnerabilities.

Note that if you wish to use the commercial version of SonarQube, or an instance of SonarQube in your environment, you can use the SonarQube Scanner adaptor.

Security Stage SAST (Static Code Analysis)
Type Community and Commercial
Languages Java, Javascript, C#, TypeScript, Kotlin, Ruby, Go, Scala, Flex, Python, PHP, HTML, CSS, VB, C, C++, Swift, SQL
Site https://www.sonarqube.org/

 

Pre-requisites

1 You'll need a Git Address to scan
2 You'll need a SonarQube instance to connect to

How do I set it up with Uleska?

There are three steps to setting up SonarQube with your instance:

  1. Creating a user and token in your instance of SonarQube
  2. Creating a connection configuration in the Uleska Platform for your instance of SonarQube
  3. Adding SonarQube Server to a Custom Toolkit

Creating a user and token in your instance of SonarQube

To connect your SonarQube instance and the Uleska Platform, you'll need a user API token. See the SonarQube instructions at https://docs.sonarqube.org/latest/user-guide/user-token/ to set this up.

 

Creating a connection configuration in the Uleska Platform for your instance of SonarQube

Now that you have your access user and token, you can setup a connection configuration.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'SonarQube'
  • Add the URL of your SonarQube instance, which is the root address of your SonarQube instance. This needs to be accessible on the internet and use public SSL/TLS certificates.
  • For the Username enter the SonarQube account which can access the project you want.
  • For the Password, enter the password for that user account.
  • To check the credentials and access are okay, you can click on the 'Test' button to ensure connectivity.
  • Click 'Save'

Untitled (10)

When you scan your Application Version with SonarQube Server, the tool will use the Application Name as the SonarQube Component Key.

Next steps

Follow our guide on Creating a Custom Toolkit, and choose SonarQube Server from the tool list.