Integrating SonarQube Community Branch Plugin for Multi‑Branch Scanning and Pull Request Support
This guide explains how to install the SonarQube Community Branch Plugin, configure multi‑branch scanning, and integrate pull‑request quality reports into GitLab CI pipelines using SonarQube settings and API commands.
When trying to attach SonarQube quality reports to merge requests, the original plugin stopped working after version 7; the newer SonarQube Community Branch Plugin (latest 1.3.0) restores this functionality and adds multi‑branch display.
Plugin installation : download the release from GitHub , place the JAR file into the extensions/plugins and lib/common directories of SonarQube, ensure the plugin has the necessary permissions, then restart SonarQube.
Multi‑branch support : the community edition only scans the master branch, but this plugin enables scanning of multiple branches, generating separate quality reports for each branch, which simplifies management compared to creating separate projects per branch.
To scan a specific branch, add the parameter -Dsonar.branch.name to the SonarScanner command. An example GitLab CI snippet is shown below:
.codeanalysis-java:
stage: code_analysis
tags:
- build
script:
- echo $CI_MERGE_REQUEST_IID $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
- "$SCANNER_HOME/bin/sonar-scanner -Dsonar.projectKey=${CI_PROJECT_NAME} \
-Dsonar.projectName=${CI_PROJECT_NAME} \
-Dsonar.projectVersion=${CI_COMMIT_REF_NAME} \
-Dsonar.ws.timeout=30 \
-Dsonar.projectDescription=${CI_PROJECT_TITLE} \
-Dsonar.links.homepage=${CI_PROJECT_URL} \
-Dsonar.sources=${SCAN_DIR} \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.java.binaries=target/classes \
-Dsonar.java.test.binaries=target/test-classes \
-Dsonar.java.surefire.report=target/surefire-reports \
-Dsonar.branch.name=${CI_COMMIT_REF_NAME}"
artifacts:
paths:
- "$ARTIFACT_PATH"Pull Request integration : configure SonarQube UI under Settings → Pull Request → Provider = GitlabServer , providing the GitLab token and server URL. The same settings can be applied via the API using curl commands:
curl -u "$SONAR_API_TOKEN" -X POST "http://sonarqube.example.com/api/settings/set?key=sonar.pullrequest.provider&value=GitlabServer"
curl -u "$SONAR_API_TOKEN" -X POST "http://sonarqube.example.com/api/settings/set?key=com.github.mc1arke.sonarqube.plugin.branch.pullrequest.gitlab.url&value=http://gitlab.example.com"
curl -u "$SONAR_API_TOKEN" -X POST "http://sonarqube.example.com/api/settings/set?key=com.github.mc1arke.sonarqube.plugin.branch.pullrequest.gitlab.token&value=$GITLAB_TOKEN"In the GitLab CI job, add the following SonarScanner parameters to pass pull‑request metadata:
"$SCANNER_HOME/bin/sonar-scanner \
-Dsonar.projectKey=${CI_PROJECT_NAME} \
-Dsonar.projectName=${CI_PROJECT_NAME} \
-Dsonar.projectVersion=${CI_COMMIT_REF_NAME} \
-Dsonar.ws.timeout=30 \
-Dsonar.projectDescription=${CI_PROJECT_TITLE} \
-Dsonar.links.homepage=${CI_PROJECT_URL} \
-Dsonar.sources=${SCAN_DIR} \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.java.binaries=target/classes \
-Dsonar.java.test.binaries=target/test-classes \
-Dsonar.java.surefire.report=target/surefire-reports \
-Dsonar.pullrequest.key=${CI_MERGE_REQUEST_IID} \
-Dsonar.pullrequest.branch=${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME} \
-Dsonar.pullrequest.base=${CI_MERGE_REQUEST_TARGET_BRANCH_NAME} \
-Dsonar.gitlab.ref_name=${CI_COMMIT_REF_NAME} \
-Dsonar.gitlab.commit_sha=${CI_COMMIT_SHA} \
-Dsonar.gitlab.project_id=${CI_PROJECT_PATH} \
-Dsonar.pullrequest.gitlab.repositorySlug=$CI_PROJECT_ID"Limit the job to run only on merge requests by adding:
only:
- merge_requestsThe article concludes with promotional images and links encouraging readers to join the technical community for further practice sharing.
DevOps Cloud Academy
Exploring industry DevOps practices and technical expertise.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.