The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Howto scan your project with SonarQube

Supported languages covered in this guide:

  • TypeScript
  • (more to come: JavaScript, Java, Python, …)

Refer to the SonarQube documentation for the full list of supported languages and analyzers.

Prerequisites

Complete these steps before configuring the pipeline, regardless of the language or component used.

Create the project in SonarQube

Before running the pipeline, make sure a SonarQube project is ready to receive the analysis. If the project is missing and auto-provisioning is not enabled, the server-side Compute Engine task fails immediately with no useful error message.

Note

Automatic project provisioning may be enabled on your instance: the project is then created automatically on the first scan. Creating the project manually in advance is still recommended so you can apply a custom configuration (project key, main branch, visibility, quality profiles, …).

Follow the procedure described in SonarQube - Initial Setup and Configuration to create and configure your project.

Generate a SonarQube token

The scanner authenticates with SonarQube using a Project Analysis Token, scoped to a single project, following the least-privilege principle. Follow the SonarQube - Secrets & Tokens guide to create it, then store it as a masked CI/CD variable in GitLab (the variable name is given in each language section below).

Configure the Quality Gate (optional)

By default, the CI job waits for the SonarQube analysis to complete and fails if the Quality Gate is not passed. You can skip this step and rely on the default gate, or configure a dedicated one by following SonarQube - Add Quality Profile .

TypeScript

Setup

In Settings > CI/CD > Variables , add a masked variable named CICD_NPM_SONAR_AUTHTOKEN with your SonarQube token as value. This variable cannot be passed as a component input: it must be a CI/CD variable.

Pipeline configuration

Note

Use Node.js 22 (LTS). Node 18 is not supported by this component’s runner image (glibc incompatibility). Node 24 has not been validated for this component.

include:
  - project: nextgen-cicd/config
    file: config.yml
  - component: $CI_SERVER_FQDN/nextgen-cicd/catalog/step/nodejs/sonar@2.1.4
    inputs:
      job_name: sonar-scan
      stage: code-quality
      sonarqube_project_key: GBU_BL_my-app   # project key defined in SonarQube (prerequisite 1)
      sonarqube_server_url: $SONARQUBE_SERVER_URL  # URL of your SonarQube instance
      node_version: "22.13.1"
      npm_version: "10.9.1"

stages:
  - code-quality

Make sure shared runners are enabled for your project ( Settings > CI/CD > Runners ). Commit and push: the sonar-scan job will run on the next pipeline execution.