CI/CD

Setup Sonarqube MultiBranch Scan

Raja Haikal
· 3 min read
Setup Sonarqube MultiBranch Scan

Currently, Sonarqube has removed the multi-branch analysis support from the CE, so after Sonarqube >7.7 this functionality is only available in the developer edition.

However, by using the sonarqube-community-branch-plugin + the sonarqube API we can be able to mimic a similar behavior.

🛠 Systemd

  • Copy the plugin JAR file to the extensions/plugins/ directory of your SonarQube instance
wget -P <Path to extensions/plugins/> https://github.com/mc1arke/sonarqube-community-branch-plugin/releases/download/1.14.0/sonarqube-community-branch-plugin-1.14.0.jar
  • Add -javaagent:./extensions/plugins/sonarqube-community-branch-plugin-${version}.jar=web to the sonar.web.javaAdditionalOpts property in your Sonarqube installation's conf/sonar.properties file, e.g. sonar.web.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.14.0.jar=web 
  • Add -javaagent:./extensions/plugins/sonarqube-community-branch-plugin-${version}.jar=ce to the sonar.ce.javaAdditionalOpts property in your Sonarqube installation's conf/sonar.properties file, e.g. sonar.ce.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.14.0.jar=ce
  • Restart your Sonarqube server.

🐳 Docker Compose

  • Download community branch plugin
cd /opt/application
wget https://github.com/mc1arke/sonarqube-community-branch-plugin/releases/download/1.14.0/sonarqube-community-branch-plugin-1.14.0.jar
  • Copy .jar file to sonarqube volume folder
ls /var/lib/docker/volumes/ | grep extension
# sonarqube_sonarqube_extensions

cp sonarqube-community-branch-plugin-1.14.0.jar /var/lib/docker/volumes/sonarqube_sonarqube_extensions/_data/plugins/
  • Final Docker Compose
version: "3"

services:
  sonarqube:
    image: sonarqube:lts-community
    depends_on:
      - sonar_db
    environment:
      SONAR_JDBC_URL: jdbc:postgresql://sonar_db:5432/sonar_db
      SONAR_JDBC_USERNAME: sonar_user
      SONAR_JDBC_PASSWORD: StR0N9p@S5WORD!
      ### Add below line
      SONAR_WEB_JAVAADDITIONALOPTS: -javaagent:/opt/sonarqube/extensions/plugins/sonarqube-community-branch-plugin-1.14.0.jar=web
      SONAR_CE_JAVAADDITIONALOPTS: -javaagent:/opt/sonarqube/extensions/plugins/sonarqube-community-branch-plugin-1.14.0.jar=ce
      ### End of line
    ports:
      - "9000:9000"
    volumes:
      - sonarqube_conf:/opt/sonarqube/conf
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_logs:/opt/sonarqube/logs
      - sonarqube_temp:/opt/sonarqube/temp

  sonar_db:
    image: postgres:alpine
    environment:
      POSTGRES_USER: sonar_user
      POSTGRES_PASSWORD: StR0N9p@S5WORD!
      POSTGRES_DB: sonar_db
    volumes:
      - sonar_db:/var/lib/postgresql
      - sonar_db_data:/var/lib/postgresql/data

volumes:
  sonarqube_conf:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_logs:
  sonarqube_temp:
  sonar_db:
  sonar_db_data:
docker compose up -d

Operational Test

  • Open Sonarqube, Understand Risk
  • Create Sonarqube Project
  • Create .gitlab-ci.yml
stages:
  - SAST

sonarqube:
  stage: SAST
  image: 
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  script:
    - |
      if [ "$CI_COMMIT_REF_NAME" == "stg" ]; then
        SONAR_BRANCH="stg"
      elif [ "$CI_COMMIT_REF_NAME" == "dev" ]; then
        SONAR_BRANCH="dev"
      else
        SONAR_BRANCH="$CI_COMMIT_REF_NAME"
      fi
      sonar-scanner
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  rules:
    - if: '$CI_COMMIT_BRANCH == "stg" && $CI_COMMIT_TAG == null'
      when: always
    - if: '$CI_COMMIT_BRANCH == "dev" && $CI_COMMIT_TAG == null'
      when: always
  tags:
    - docker
  allow_failure: true
  • Create sonar-project.properties
sonar.projectKey=Dummy-Project
sonar.qualitygate.wait=true
  • Create variable on Repository
SONAR_HOST_URL: https://sonarqube.example.com
SONAR_TOKEN: <Your Token>
  • Run Pipeline on dev branch
  • Run Pipeline on stg branch. After pipeline success, there will be a new branch on sonarqube

Reference

GitHub - mc1arke/sonarqube-community-branch-plugin: A plugin that allows branch analysis and pull request decoration in the Community version of Sonarqube
A plugin that allows branch analysis and pull request decoration in the Community version of Sonarqube - mc1arke/sonarqube-community-branch-plugin
GitHubmc1arke

Related Articles

Accessing KubeVirt VMs Outside Kubernetes - Part 2

Accessing KubeVirt VMs Outside Kubernetes - Part 2

· 11 min read
Accessing KubeVirt VMs Outside Kubernetes - Part 1

Accessing KubeVirt VMs Outside Kubernetes - Part 1

· 9 min read
Configuring Secondary Networks for KubeVirt VMs with OVN-Kubernetes

Configuring Secondary Networks for KubeVirt VMs with OVN-Kubernetes

· 5 min read
Kubevirt + Kube-OVN Live Migration

Kubevirt + Kube-OVN Live Migration

· 6 min read
Seamless Secret Management with Kubernetes Vault Secrets Operator

Seamless Secret Management with Kubernetes Vault Secrets Operator

· 7 min read
Hashicorp Vault HA Cluster with Integrated Storage (Raft) and AWS KMS Auto Unseal

Hashicorp Vault HA Cluster with Integrated Storage (Raft) and AWS KMS Auto Unseal

· 17 min read