Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Announcement: SonarQube integration rolling out

Hey everyone, I'm excited to share a new integration with SonarQube that brings in a new metric for Quality Gates! To setup SonarQube with Compass, click "Create", then "Incoming webhooks", click "Create", and choose "SonarQube" from the dropdown.

Following the setup steps in Compass you'll get a URL and some instructions on how to set up a webhook in SonarQube. You'll then need to setup the webhook for each SonarQube Project or Portfolio, and finally add a link to a SonarQube Project to the Dashboards link section for a Compass component. 

Screenshot 2024-12-03 at 10.51.48 AM.png

This integration is still rolling out to all customers so if you don't see it just yet check back end of the week.

Happy Holidays!

6 comments

Pete Stanley
Contributor
December 3, 2024

Great stuff! Have tested this out and works pretty nicely. Awesome to have self-hosted support as first-class citizen.

Is this the only metric we should expect to see available after integration?

Screenshot from 2024-12-03 18-35-49.png

It would be nice to have some pattern matching controls for automatic project > component linking.

  • It's challenging currently as most of our SQ projects were imported via the SCM (Github) SQ integration which applies a "<org>_" prefix and "_<GUID>" suffix to each project key. As it's pretty unsightly we're unlikely to change component names in Compass to match.
  • Wherever possible, would suggest automatic project matching is a key capability that goes a long way towards surfacing the metric and mass adoption of the feature. That being said, dropping a dashboard link works well, would just help to reduce training if automatic linking had slightly more admin controls.

 

Would love to see some native support for either Prisma Cloud or Checkov next.

Like • Steffen Opel _Utoolity_ likes this
Josh Campbell
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2024

Thanks a ton for the feedback Pete! This is the only metric currently. Especially great note on the SonarQube GitHub import prefixing the org name. I misspoke in my original post about automatic mapping, looks like that is still in the works so this was very helpful. 

Like • 2 people like this
Josh Campbell
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2024

Hey Pete, I was trying to find this in the SQ docs but for the GitHub import, is the GUID random and not the name of the repo? Would you be able to share an example? Thanks!

Pete Stanley
Contributor
December 5, 2024

Hey @Josh Campbell

I dug into this a bit. I'll speak to the SonarQube Github (Organizations) integration since that's what we're using, and probably the most common use case. That being said, everything I've seen in the Sonarqube source code suggests it's the same naming structure for all SCM providers.

Worth mentioning, the randomized projects keys are only generated when projects are imported via the web interface. When importing via API, the user-specified `projectKey` paramater is necessary and doesn't get transformed.

Key Sonarqube terms to navigate SQ code:

WS = Web Service
DTO= Data transfer object
ALM = Application Lifecycle Management (Aka DevOps Platform Integration, aka 'DOP').

 

Example

Using the web interface, I imported, removed, and reimported two test projects from our GitHub organization.


"Github Org": "MyOrg"
"Github Project Name":  "project1"

- MyOrg_project1_a38c0aca-b2b3-4f4e-9997-caa046906e76
- MyOrg_project1_c3dcb300-b390-4458-96f4-a4a124621f99
- MyOrg_project1_992ea7a9-0e6b-4073-ba4d-c535610bdf0a

 

"Github Org": "MyOrg"
"Github Project Name":  "project2"

- MyOrg_project2_c989d4d0-13f1-43bf-95b2-e7c77b9ff741
- MyOrg_project2_87c5d720-5bcc-42ef-b6cb-3d733b285d94
- MyOrg_project2_6e1058e4-6623-4095-a227-0df1eef58376

 

Validating in source code:

Regular repos:

Looks to follow `projectKey + PROJECT_KEY_SEPARATOR + uuid` across the board with '_' as separator.

 

Monorepos:

I haven't dug into this as far but looks like the logic for MonoRepos is broken out. Looks to follow the same format though.

 

Outcome

So to pattern match Compass to SCM imported SQ projects, could do everything between the two underscores if it looks like a UUID is present in the project key.

 

Like • Steffen Opel _Utoolity_ likes this
Michael Akinde
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 12, 2025

So, it seems like this integration only passes the Quality Gate metric. Is this correct? If so, this seems pretty limited and not super useful, IMO - I would want at least security hotspots/violations and code coverage as well. At present, it looks like we still need to push these metrics ourself.

Like • Steffen Opel _Utoolity_ likes this
Mano Swerts
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
March 6, 2025

Hi @Josh Campbell, this is an interesting feature for us. I agree with Michael that showing some more information in the widgets (like code security violations and test coverage) would be way more useful, but I'm hoping that that's something still on your roadmap to do.

Nevertheless, I cannot seem to make it work. The quality gate metric isn't populated with data, even though I've added the webhook to SonarQube and it is transmitting data. Are there any SonarQube version requirements perhaps?

Any reason why a dashboard link is needed to the SonarQube project to make this work? Our SonarQube instance is behind a VPN, might that be the issue?

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events