LogoLogo
Login to CortexBook a DemoCortex Academycortex.io
  • Cortex Docs
  • Cortex Quick Start
  • Ingesting data into Cortex
    • Managing Entities
      • Adding entities
        • Add services
        • Add domains
        • Add teams
        • Add custom entity types
        • Defining dependencies
      • Entity details page
      • Defining ownership
      • Defining relationship types
      • Grouping entities
      • Adding external documentation
      • Adding Deploy data
      • Adding custom data
      • Viewing discovered entities
      • Archiving entities
      • Relationship graph
      • Using On-call Assistant for incidents
      • Managing Terraform infra in Cortex
    • Managing Catalogs
    • Integrations
      • Internally hosted integrations
      • ArgoCD
      • AWS
      • Azure DevOps
      • Azure Resources
      • BambooHR
      • Bitbucket
      • BugSnag
      • Buildkite
      • Checkmarx
      • CircleCI
      • ClickUp
      • Codecov
      • Coralogix
      • Custom webhook integrations
      • Datadog
      • Dynatrace
      • Entra ID (Azure AD)
      • FireHydrant
      • GitHub
      • GitLab
      • Google
      • Grafana
      • incident.io
      • Instana
      • Jenkins
      • Jira
      • Kubernetes
      • LaunchDarkly
      • Lightstep
      • Mend
      • Microsoft Teams
      • New Relic
      • Okta
      • Opsgenie
      • PagerDuty
      • Prometheus
      • Rollbar
      • Rootly
      • Sentry
      • ServiceNow
      • Slack
      • Snyk
      • SonarQube
      • Splunk Observability Cloud (SignalFx)
      • Splunk On-Call (VictorOps)
      • Sumo Logic
      • Veracode
      • Wiz
      • Workday
      • xMatters
  • Scorecards
    • Initiatives and Action items
      • Creating issues based on Initiatives
    • Scorecard rule exemptions
    • Scorecard rule filters
    • Scorecard examples
    • Scorecards as code
  • Reports
    • Executive report
    • All Scorecards report
    • Bird's eye report
    • Progress report
    • Report card
  • Eng Intelligence
    • Custom Metrics
    • Jira Metrics
    • Metrics Explorer (Beta)
  • Cortex Query Language (CQL)
    • Using CQL reports
    • Using JQ in Cortex
  • Workflows
    • Creating a Workflow
      • Workflows as code
    • Blocks
    • Running a Workflow
    • Registering a Scaffolder template
      • Scaffolder advanced usage
    • Using a Workflow to sync in ArgoCD
    • Kicking off a Jenkins pipeline in a Workflow
    • Calling internal service endpoints in a Workflow
  • Plugins
    • Creating a plugin
      • Creating a plugin proxy
    • Migrating Backstage plugins to Cortex
  • Engineering homepage
  • Workspace Settings
    • Using GitOps for Cortex
      • GitOps logs
    • Managing users
      • Roles and permissions
        • Custom roles
        • Team ownership entity editing
      • Configuring SSO
        • Microsoft Entra ID
        • Google
        • Other OIDC providers
        • Okta
          • Okta SCIM
      • Configuring identity mappings
      • Onboarding management
    • API keys, secrets, and tokens
      • Secrets
      • Personal tokens
    • Audit logs
    • Entity settings
      • Data verification
      • Auto archiving entities
    • IP allowlist
    • Notifications
      • Notification logs
    • Customizing your workspace
    • Using search in Cortex
  • Cortex API
    • REST API operations
      • API Keys
      • Audit Logs
      • Catalog Entities
      • Custom Data
        • Custom Data (Advanced)
      • Custom Events
      • Custom Metrics
      • Dependencies
      • Deploys
      • Discovery Audit
      • Docs
      • Eng Intel: User Labels
      • Entity Relationship Types (Beta)
      • Entity Relationships (Beta)
      • Entity Types
      • GitOps Logs
      • Groups
      • Initiatives
      • Integrations APIs
        • Azure Active Directory (Entra ID) API
        • Azure Resources API
        • AWS API
        • Azure DevOps API
        • CircleCI API
        • Coralogix API
        • Datadog API
        • GitHub API
        • GitLab API
        • incident.io API
        • LaunchDarkly API
        • New Relic API
        • PagerDuty API
        • Prometheus API
        • SonarQube API
      • IP Allowlist
      • Notification Logs
      • On call
      • Packages
      • Plugins
      • Queries
      • SCIM
      • Scorecards
      • Secrets
      • Team Hierarchies
      • Teams
      • Workflows
Powered by GitBook
On this page
  • How to configure SonarQube with Cortex
  • Self-hosted prerequisites
  • Configure the integration
  • Registration
  • Discovery
  • Entity descriptor
  • Expected results
  • Scorecards and CQL
  • FAQs and troubleshooting
  • Still need help?​

Was this helpful?

Export as PDF
  1. Ingesting data into Cortex
  2. Integrations

SonarQube

Last updated 1 month ago

Was this helpful?

is an open-source platform that empowers developers to write clean and safe code by continuously inspecting code quality and reviewing for bugs, vulnerabilities, and code duplication.

Integrating SonarQube with Cortex allows you to:

  • Pull in code smells, bugs, code coverage, vulnerabilities, and custom metrics on

  • Create that track progress and drive alignment on projects involving your SonarQube projects

How to configure SonarQube with Cortex

Self-hosted prerequisites

If you’re using a self-hosted instance of SonarQube, you’ll need to verify that your Cortex instance is able to reach the SonarQube instance.

If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your SonarQube instance.

Configure the integration

There are two options for integrating SonarQube: the default configuration method and Cortex Axon Relay, a relay broker allows you to securely connect your on-premises SonarQube data.

Configure SonarQube with the default method

Prerequisites

Before getting started, create a .

Configuration

  1. In Cortex, navigate to the .

    1. In Cortex, click your avatar in the lower left corner, then click Settings.

    2. Under "Integrations", click SonarQube.

  2. Click Add configuration.

  3. Configure the SonarQube integration form:

    • Account alias: Enter the alias you will use to tie entity registrations to different configuration accounts.

    • Token: Enter your user token from SonarQube.

    • SonarQube URL: Enter the URL for your SonarQube instance, e.g., https://sonarcloud.io

  4. Click Save.

Configure SonarQube with Cortex Axon Relay

See for instructions.

Advanced configuration

Registration

Discovery

If your SonarQube project key don’t cleanly match the Cortex entity tag, you can override this in the Cortex entity descriptor.

If you’re using build-system tooling to push analysis to SonarQube, the plugin (e.g. Gradle, Maven) may be automatically generating a project key that’s different from the repo name.

Entity descriptor

x-cortex-static-analysis:
  sonarqube:
    project: sonar-project-key
    alias: sonarqube-alias
Field
Description
Required

project

Project key defined in Sonarqube

✓

alias

Alias for the configuration in Cortex (only needed if you have opted into multi-account support)

Cortex only supports one SonarQube project per entity.

Expected results

Entity pages

  • Metrics

    • Complexity

    • Duplications

    • Issues

    • Maintainability

    • Quality gates

    • Reliability

    • Security

    • Size

    • Tests

  • Code freshness

  • Code coverage

Scorecards and CQL

With the SonarQube integration, you can create Scorecard rules and write CQL queries based on SonarQube projects.

Analysis freshness

Duration since the last analysis was uploaded to SonarQube for a given project (with granularity of days).

Definition: sonarqube.freshness()

Example

For a Scorecard focused on operational readiness, you can use this expression to evaluate the freshness of static analysis metrics from SonarQube.

sonarqube.freshness() <= duration("P7D")

This rule checks that an analysis has been uploaded to SonarQube within the past week, which developers can use to make sure the metrics being pulled aren't stale.

This same rule would work in a security Scorecard - by making sure a SonarQube analysis has been uploaded within the last seven days, you make sure teams are monitoring for compliance to coding rules.

Metric

Query metrics generated by static analysis of your projects and sent to SonarQube:

  • Alert status

  • Bugs

  • Code smells

  • Coverage

  • Duplicated lines

  • Duplicated lines density

  • Lines of code

  • New blocker violations

  • New bugs

  • New code smells

  • New coverage

  • New security hotspots

  • New violations

  • Reliability rating

  • Security hotspots

  • Security rating

  • Security review rating

  • SQALE rating

  • Vulnerabilities

Definition: sonarqube.metric("<metric>")

Examples

For a Scorecard focused on development maturity, you can set a rule to make sure entities have greater than 80% code coverage.

sonarqube.metric("coverage") > 0.80

Developers can then immediately identify entities that are falling behind to make improvements to testing effectiveness. This Scorecard can also give users a more comprehensive sense of how well code is being tested, and where gaps exist.

This rule also serves as a secondary check that a given entity is hooked up to Sonarqube and reporting frequently.

You can also use the sonarqube.metric("<metric>") expression to write a rule for a security Scorecard, making sure production entities aren't deployed with a high number of security vulnerabilities:

sonarqube.metric("vulnerabilities") < 2

In that security Scorecard, you could also use this expression to evaluate code coverage:

sonarqube.metric("coverage") > 70

Entities with low code coverage scores are more likely to be vulnerable to attack, so a lower threshold might make sense for certain security Scorecards.

sonarqube.metric("security_hotspots") < 5
sonarqube.metric("vulnerabilities) < 1

Plus, if an entity begins failing one of these rules, it can alert you to broader security problems.

Project existence

SonarQube project exists for an entity.

Definition: sonarqube != null

Example

For a Scorecard focused on operational readiness, you can write a rule to make sure an entity has an associated SonarQube project.

sonarqube != null

Because having a SonarQube project set would be key for an entity to be evaluated via other SonarQube-related expressions, this rule would make sense in a Scorecard's initial level.

Issues

Query issues identified by static analysis of your projects and sent to SonarQube, including bugs, vulnerabilities, code smells, and more. If the statuses are not filled in, they will default to "OPEN" and "REOPENED" statuses to prevent fetching of resolved issues.

Definition: sonarqube.issues("<types>", "<rules>", "<severities>", "<statuses>", "<lookback>"): List<SonarqubeIssue>

Example

You can write a rule to check that an entity has fewer than 3 major java:S2142 bugs:

sonarqube.issues(types = ["bug"], rules = ["java:S2142"], severities = ["major"]).length <= 3

You can write a rule to check that an entity has fewer than 10 minor code smells:

sonarqube.issues(types = ["code_smell"], severities = ["minor"]).length < 10

FAQs and troubleshooting

Does Cortex support SonarCloud?

Yes. You can integrate with SonarCloud by following the same steps as integrating with SonarQube. In the URL field, use your `` URL. You can also use multi-account support to add a self-hosted or SonarCloud instance by adding the URL for that instance during configuration.

I’m seeing “Socket timed out when trying to connect to SonarQube” for all of my entities in Scorecards.

This means that Cortex is unable to talk to your SonarQube instance. Make sure that your instance is running and accessible to Cortex.

I’m using Gradle and I’ve verified that my project is in SonarQube, but Cortex is still showing me an error.

My project is in Sonar and Cortex is able to talk to SonarQube, but my score isn’t showing up.

Try the following troubleshooting steps:

  1. Make sure the project key in your YAML is exactly the same as the key in SonarQube.

  2. Verify that the scores are in the “default branch” in SonarQube. If your scores are showing up in a branch-a in SonarQube, but your SonarQube default branch is main, Cortex will not be able to retrieve the scores.

  3. Run the following curl command and verify there are metrics showing up in the response:

    curl -v -u : "https://[SONARQUBE HOST]/api/measures/
    component_tree?component=[SONARQUBE PROJECT KEY]&metricKeys=ncloc,coverage"

What if I want to send custom data, but I don't have control over the integration touchpoint?

For SonarQube (and all integrations), Cortex will map the entity tag defined in the cortex.yaml for a given entity. For SonarQube specifically, the tag must exactly match the project ID in SonarQube. If these are not one-to-one, we recommend using the override detailed above to define the proper mapping for project ID and entity name.

This can happen if your external DNS certificate expired. Ensure that any certificates you're using are valid.

The following options are available to get assistance from the Cortex Customer Engineering team:

  • Chat: Available in the Resource Center

  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

If you’re unable to expose your SonarQube instance to be reachable by Cortex, you can set up a custom integration webhook. To learn more about SonarQube webhooks, visit their .

By default, Cortex will use the (e.g. my-entity) as the "best guess" for SonarQube project key. For example, if your entity tag is my-entity, then the corresponding project key in SonarQube should also be my-entity.

Once the integration is established, data from SonarQube will be available in the Code & security page in an as well as under the Overview tab. You can pull in data on code smells, bugs, code coverage, vulnerabilities, and any custom metrics available through Sonar. You can read more about metric definitions in Sonar's .

See more examples in the in Cortex.

Rules focused on and vulnerabilities can also make sure entities are operating with minimal security issues.

Gradle automatically generates a project key which is equal to [$:]$. As a result, automatic discovery won’t work. You’ll need to override the project key in your Cortex .

If you don't have control of or access to the integration touchpoint (for example, if you're using a SonarQube notification webhook) you'll want to use the API to send custom data. You can find information on sending data to a custom data webhook .

Why might I see the SonarQube connection error Component key not found?

Why might I see the error Sonarqube: Fail to request url on my integration page or a validity check failed error while creating a Workflow?

Still need help?

Email: , or open a support ticket in the in app Resource Center

SonarQube
entity details pages
Scorecards
SonarQube user token
SonarQube settings page
Internally hosted integrations
webhook documentation
CQL Explorer
security hotspots
here
​
​
​
help@cortex.io
entity descriptor
documentation
entity's sidebar,
entity tag