Setting up GitHub integration features at the project level
Reporting your quality gate status in GitHub
On SonarQube projects bound to their GitHub repository (projects imported from the GitHub repository) SonarQube automatically sets up the report of your quality gate status and analysis metrics directly to your GitHub pull requests.
If you're creating your projects manually or adding quality gate reporting to an existing project, see the following section.
Reporting your quality gate status in manually created or existing projects
SonarQube can also report your quality gate status to GitHub pull requests and branches for existing and manually created projects. After you've created and installed your GitHub App and updated your global DevOps Platform Integration settings as shown in the Importing your GitHub repositories into SonarQube section above, set the following project settings at Project Settings > General Settings > DevOps Platform Integration:
- Configuration name: The configuration name that corresponds to your GitHub instance.
- Repository identifier: The path of your repository URL.
Showing your analysis summary under the GitHub Conversation tab
Make sure that for your project, Enable analysis summary under the GitHub Conversation tab in Project settings > General settings > Pull Request Decoration is on (default value). If it's the case, your pull request analysis will be shown under both the Conversation and Checks tabs in GitHub. When off, your pull request analysis summary is only shown under the Checks tab.
Preventing pull request merges when the quality gate fails
In GitHub, you can block pull requests from being merged if it is failing the quality gate. To do this:
- In GitHub, go to your repository Settings > Branches > Branch protection rules and select either the Add rule or Edit button if you already have a rule on the branch you wish to protect.
- Complete the Branch protection rule form:
- Define the Branch name pattern (the name of the branch you wish to protect)
- Select Require status checks to pass before merging to open supplementary form fields.
- In the Search for status checks in the last week for this repository field, select Require branches to be up to date before merging, then find
SonarQube Code Analysis
and add it to the list of required checks.
Setting up the display of SonarQube security alerts in GitHub
Starting in Developer Edition, SonarQube can provide feedback about security issues inside the GitHub interface itself provided the corresponding GitHub repository has been imported into SonarQube. The security issues found by SonarQube will appear in both:
- The SonarQube interface, as part of the displayed analysis results.
- The GitHub interface, as code scanning alerts under the Security tab.
This feature is part of the GitHub Advanced Security package and is currently free for public projects. It is available as a paid option for private projects and GitHub Enterprise. This option is entirely on the GitHub side. Sonar does not charge anything extra to enable the code scanning alerts feature.
Once you've enabled this feature, test it by running a SonarQube analysis.
Feature Overview
When you analyze a project in SonarQube, the detected security issues are displayed on the GitHub interface, under your repository's Security > Code scanning alerts tab.
Select View alerts to see the full list:
When you change the status of a security vulnerability in the SonarQube interface, that status change is immediately reflected in the GitHub interface. Similarly, if you change an issue status in GitHub, that change is reflected in SonarQube.
Initially, all issues marked Open on SonarQube are marked Open on GitHub. Because the available statuses on the two systems are not exactly the same, the following logic is used to manage the transitions.
In SonarQube, a transition to: | Results in this On GitHub: |
Confirm (deprecated) | Open |
Fixed | Open |
Accept | Dismiss: Won't Fix |
False Positive | Dismiss: False positive |
Open | Open |
On Github, a transition to: | Results in this in SonarQube: |
Dismiss: False positive | False Positive |
Dismiss: Used in tests | Accept |
Dismiss: Won't fix | Accept |
Setting up the feature
Enabling the feature in your SonarQube project
Ask your administrator to provide you with the secret of the webhook configured in the GitHub App used for SonarQube integration.
Proceed as follows:
- In your SonarQube project page, go to Project settings > General settings > DevOps Platform Integrations > GitHub.
- Click on your GitHub App and select edit.
- Enter the webhook secret defined in your GitHub App.
Managing the user access to security alerts in GitHub
In GitHub, you can configure access to security alerts for a repository to enable and disable security and analysis features.
Was this page helpful?