version v7.2.
For up-to-date documentation, see the
latest version.
Howto scan your project with SonarQube
2 minute read
Supported languages covered in this guide:
- TypeScript
- (more to come: JavaScript, Java, Python, …)
Refer to the SonarQube documentation for the full list of supported languages and analyzers.
Prerequisites
Complete these steps before configuring the pipeline, regardless of the language or component used.
Create the project in SonarQube
Before running the pipeline, make sure a SonarQube project is ready to receive the analysis. If the project is missing and auto-provisioning is not enabled, the server-side Compute Engine task fails immediately with no useful error message.
Automatic project provisioning may be enabled on your instance: the project is then created automatically on the first scan. Creating the project manually in advance is still recommended so you can apply a custom configuration (project key, main branch, visibility, quality profiles, …).
Follow the procedure described in SonarQube - Initial Setup and Configuration to create and configure your project.
Generate a SonarQube token
The scanner authenticates with SonarQube using a Project Analysis Token, scoped to a single project, following the least-privilege principle. Follow the SonarQube - Secrets & Tokens guide to create it, then store it as a masked CI/CD variable in GitLab (the variable name is given in each language section below).
Configure the Quality Gate (optional)
By default, the CI job waits for the SonarQube analysis to complete and fails if the Quality Gate is not passed. You can skip this step and rely on the default gate, or configure a dedicated one by following SonarQube - Add Quality Profile .
TypeScript
- SonarQube documentation: JavaScript & TypeScript
- GitLab component:
nextgen-cicd/catalog/step/nodejs/sonar, scan step from the NextGen CICD InnerSource project
Setup
In
Settings > CI/CD > Variables
, add a masked variable named
CICD_NPM_SONAR_AUTHTOKEN with your SonarQube token as value.
This variable cannot be passed as a component input: it must be a CI/CD variable.
Pipeline configuration
Use Node.js 22 (LTS). Node 18 is not supported by this component’s runner image (glibc incompatibility). Node 24 has not been validated for this component.
include:
- project: nextgen-cicd/config
file: config.yml
- component: $CI_SERVER_FQDN/nextgen-cicd/catalog/step/nodejs/sonar@2.1.4
inputs:
job_name: sonar-scan
stage: code-quality
sonarqube_project_key: GBU_BL_my-app # project key defined in SonarQube (prerequisite 1)
sonarqube_server_url: $SONARQUBE_SERVER_URL # URL of your SonarQube instance
node_version: "22.13.1"
npm_version: "10.9.1"
stages:
- code-quality
Make sure shared runners are enabled for your project (
Settings > CI/CD > Runners
).
Commit and push: the sonar-scan job will run on the next pipeline execution.