问题
I am new to BitBucket and have inherited a project, now trying to get up to speed and code-complete. We have a DevSecOps pipeline using BitBucket as SCM, SonarQube as our static analysis engine and either Maven or Jenkins, depending on dev team preference. Java is the development language.
My Tech Lead would like to prevent a merge of a pull request if there are Critical or High issues found in the SonarQube analysis of code in the pull request. So, I am looking for a way to trigger SonarQube scan on a pull request and if it fails (Critical issue found) the Merge is not allowed to go through or some notification is sent. There is hope also that issue that pre-existed on the branch would not trigger the notification (legacy issues don't break merge requests).
I see plugins for BitBucket that are "pull-request decorators" but they lack documentation (open source ones do, anyway).
回答1:
The tool which is definitely suits your case is Sonar for Bitbucket.
It integrates well into a build pipeline with jenkins and sonarqube. additionally for triggering your analysis i recommend to use the plugin pullrequest-notifier, which allows you to react to special "pullrequest" events only -> this can reduce the amount of your builds heavily when it comes to sonar analysis for feature branches.
regarding Sonar for Bitbucket
just as an complete information! Sonarqube does not recommend to do branch analysis at the moment for feature branches. As this will generate a seperate project on sonarqube for each project and each analysed branch. Sonar for Bitbucket will clean those up.
In the future there will be a change, which seem to be presented already at the SonarSource City tour. When this change goes live, you will be able to do analyses in a more "branchy" style!
回答2:
You may do static code analysis on the feature branches, in Jenkins, and report to Bitbucket Server with Violation Comments To Bitbucket Server Plugin.
There is also a bunch of other Gradle, and Maven, plugins to take care of violations found.
来源:https://stackoverflow.com/questions/46428486/sonarqube-and-bitbucket-integration-on-pull-request