SonarQube
SonarQube is an open-source platform that empowers developers to write clean and safe code by continuously inspecting code quality and reviewing for bugs, vulnerabilities, and code duplication.
Integrating SonarQube with Cortex allows you to:
Pull in code smells, bugs, code coverage, vulnerabilities, and custom metrics on entity details pages
Create Scorecards that track progress and drive alignment on projects involving your SonarQube projects
This integration is supported for both SonarQube Server and SonarQube Cloud.
How to configure SonarQube with Cortex
Self-hosted prerequisites
If you’re using a self-hosted instance of SonarQube, you’ll need to verify that your Cortex instance is able to reach the SonarQube instance.
If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your SonarQube instance.
Configure the integration
There are two options for integrating SonarQube: the default configuration method and Cortex Axon Relay, a relay broker allows you to securely connect your on-premises SonarQube data.
Configure SonarQube with the default method
Prerequisites
Before getting started, create a SonarQube user token:
Configuration
In Cortex, navigate to the SonarQube settings page.
In Cortex, click your avatar in the lower left corner, then click Settings.
Under "Integrations", click SonarQube.
Click Add configuration.
Configure the SonarQube integration form:
Account alias: Enter the alias you will use to tie entity registrations to different configuration accounts.
Token: Enter your user token from SonarQube.
SonarQube URL: Enter the URL for your SonarQube instance.
For example,
https://sonarcloud.io
if you are on SonarQube Cloud, orhttps://sonarqube.mycompany.com
if your organization has their own instance.
Click Save.
Integrate via custom webhook
If you’re unable to expose your SonarQube instance to be reachable by Cortex, you can set up a custom integration webhook. To learn more about SonarQube webhooks, visit their webhook documentation.
How to connect Cortex entities to SonarQube projects
Discovery
By default, Cortex will use the entity tag (e.g. my-entity
) as the "best guess" for SonarQube project key. For example, if your entity tag is my-entity
, then the corresponding project key in SonarQube should also be my-entity
.
If your SonarQube project key don’t cleanly match the Cortex entity tag, you can override this in the Cortex entity descriptor.
If you’re using build-system tooling to push analysis to SonarQube, the plugin (e.g. Gradle, Maven) may be automatically generating a project key that’s different from the repo name.
Editing the entity descriptor
When managing entities via the YAML entity descriptor, you can configure SonarQube projects under the x-cortex-static-analysis
block:
x-cortex-static-analysis:
sonarqube:
project: sonar-project-key
alias: sonarqube-alias
project
Project key defined in Sonarqube
✓
alias
Alias for the configuration in Cortex (only needed if you have opted into multi-account support)
Cortex only supports one SonarQube project per entity.
Using the SonarQube integration
View SonarQube data on entity pages
Once the integration is established, data from SonarQube will be available in the Code & security page in an entity's sidebar, as well as under the Overview tab. You can pull in data on code smells, bugs, code coverage, vulnerabilities, and any custom metrics available through Sonar. You can read more about metric definitions in Sonar's documentation.
Metrics
Complexity
Duplications
Issues
Maintainability
Quality gates
Reliability
Security
Size
Tests
Code freshness
Code coverage
Scorecards and CQL
With the SonarQube integration, you can create Scorecard rules and write CQL queries based on SonarQube projects.
See more examples in the CQL Explorer in Cortex.
FAQs and troubleshooting
Does Cortex support SonarCloud?
Yes. You can integrate with SonarCloud by following the same steps as integrating with SonarQube. In the URL field, use your https://sonarcloud.io/
URL. You can also use multi-account support to add a self-hosted or SonarCloud instance by adding the URL for that instance during configuration.
I’m seeing “Socket timed out when trying to connect to SonarQube” for all of my entities in Scorecards.
This means that Cortex is unable to talk to your SonarQube instance. Make sure that your instance is running and accessible to Cortex.
I’m using Gradle and I’ve verified that my project is in SonarQube, but Cortex is still showing me an error.
Gradle automatically generates a project key which is equal to [$:]$
. As a result, automatic discovery won’t work. You’ll need to override the project key in your Cortex entity descriptor.
My project is in Sonar and Cortex is able to talk to SonarQube, but my score isn’t showing up.
Try the following troubleshooting steps:
Make sure the project key in your YAML is exactly the same as the key in SonarQube.
Verify that the scores are in the “default branch” in SonarQube. If your scores are showing up in a
branch-a
in SonarQube, but your SonarQube default branch ismain
, Cortex will not be able to retrieve the scores.Run the following curl command and verify there are metrics showing up in the response:
curl -v -u : "https://[SONARQUBE HOST]/api/measures/
component_tree?component=[SONARQUBE PROJECT KEY]&metricKeys=ncloc,coverage"
What if I want to send custom data, but I don't have control over the integration touchpoint?
If you don't have control of or access to the integration touchpoint (for example, if you're using a SonarQube notification webhook) you'll want to use the API to send custom data. You can find information on sending data to a custom data webhook here.
Why might I see the SonarQube connection error Component key not found
?
Component key not found
?For SonarQube (and all integrations), Cortex will map the entity tag defined in the cortex.yaml for a given entity. For SonarQube specifically, the tag must exactly match the project ID in SonarQube. If these are not one-to-one, we recommend using the override detailed above to define the proper mapping for project ID and entity name.
Why might I see the error Sonarqube: Fail to request url
on my integration page or a validity check failed
error while creating a Workflow?
Sonarqube: Fail to request url
on my integration page or a validity check failed
error while creating a Workflow?This can happen if your external DNS certificate expired. Ensure that any certificates you're using are valid.
Still need help?
The following options are available to get assistance from the Cortex Customer Engineering team:
Email: [email protected], or open a support ticket in the in app Resource Center
Chat: Available in the Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a
:ticket:
reaction to a question in Slack, and the team will respond directly.
Don’t have a Slack channel? Talk with your Customer Success Manager.
Last updated
Was this helpful?