Skip to content

Implement Code Scanning with Pipelines

The source code in the code repository, as the original form of software, its security flaws are the direct root cause of software vulnerabilities. Therefore, discovering security flaws in the source code through code scanning analysis is an important method to reduce potential vulnerabilities in software.

For example, SonarQube is an automatic code review tool used to detect bugs in project code and improve test coverage, etc. It can be integrated with existing workflows in the project for continuous code checks between project branches and pull requests.

This article will introduce how to integrate SonarQube into the pipeline to implement code scanning capabilities.

Integrate SonarQube by workspace

Please ensure that you have a SonarQube environment and that it is network-connected with the current environment without any problems.

  1. Enter the Toolchain Integration page, click the Toolchain Integration button.

    Toolchain Integration

  2. Refer to the following instructions to configure the relevant parameters:

    • Tools: Choose a toolchain type for integration.
    • Integration Name: The name of the integrated tool, must not be duplicated.
    • SonarQube Address: The address that can access the toolchain, starting with a domain name or IP address that starts with http://, https://.
    • Token: Generate an administrator token (Token) in SonarQube, the operation path is: My Account -> Profile -> Security -> Generate -> Copy

    Configure Parameters

  3. Click OK to return to the toolchain list page after successful integration.

Creating a pipeline

  1. On the pipeline page, click Create Pipeline.

    Create Pipeline

  2. Choose Create a custom pipelines.

    Custom Pipelines

  3. Enter a name, use the other default values, and click OK.

    Confirm Creation

Editing pipeline

  1. Click a pipeline to enter its details page, and click Edit Pipeline in the upper right corner.

    Edit Pipeline

  2. Configure global settings:

    Global Settings

  3. Define stage one git clone in the graphical interface as follows:

    Git Clone

  4. Define stage two SonarQube analysis in the graphical interface as follows:

  5. SonarQube Instance: Select the SonaQube instance integrated in the above steps.

  6. Code Language: Since different code languages correspond to different SonaQube scan commands, if the language is Java, please select Maven, otherwise select others. In this example, we choose others.
  7. Project: Define the project to be scanned in SonarQube

  8. Scan Files: The directory address of the file in the code repository that needs to be scanned

    SonarQube Analysis

    Edit Stage

  9. Save and immediately run the pipeline, and wait for the pipeline to run successfully.

Viewing code scanning results

  1. After the pipeline runs successfully, click Code Quality Check on the pipeline details page.

    Code Quality Check

  2. View the code scanning results, click View More to go to the SonarQube backend to view more scanning information.

Comments