Introducing static analysis to a project can help inform code reviews and highlight areas of the code likely to cause errors as well as expose trends in code quality over time. The tradeoff is that there are often many false positives in a report which need to be investigated.
When I configured SonarQube (6.4) to provide static analysis for our C# project we struggled to incorporate it into our normal development process since it sat outside the usual branch -> build -> merge request workflow.
For our source control we were using GitLab (10.1.4) and our build server was running TeamCity (2017.1).
Get the plugin
Gabriel Allaigre has written the sonar-gitlab plugin which enables SonarQube to push its analysis results to GitLab. This presents the results of analysis in the same place we review our merge requests as well as causing build errors when violations occur; and therefore helps incorporate SonarQube into the development workflow.
First you will need to install the sonar-gitlab plugin to your SonarQube environment and follow the steps detailed in the configuration section of the readme:
- Set the GitLab URL from the Administration -> Configuration -> General Settings -> GitLab
- Set the GitLab user token in the same place. This should be a token for a GitLab user with the developer role. You can get this token in GitLab by going to Profile -> Edit Profile -> Access Tokens and generating a new access token.
Once this is installed the SonarQube configuration is complete.
The installation guide for the sonar-gitlab plugin describes how to configure it when using the GitLab CI or Maven for builds. To run the analysis from TeamCity we need to get some additional information for the parameters to the command line.
If we were running from GitLab's CI we would use the following command to start the Sonar MSBuild Scanner, pushing to GitLab after the analysis completed: