拉取请求上的 SonarQube 和 BitBucket 集成 [英] SonarQube and BitBucket Integration on Pull Request
问题描述
我是 BitBucket 的新手,并且继承了一个项目,现在正努力加快速度并完成代码.我们有一个 DevSecOps 管道,使用 BitBucket 作为 SCM,SonarQube 作为我们的静态分析引擎以及 Maven 或 Jenkins,具体取决于开发团队的偏好.Java是开发语言.
I am new to BitBucket and have inherited a project, now trying to get up to speed and code-complete. We have a DevSecOps pipeline using BitBucket as SCM, SonarQube as our static analysis engine and either Maven or Jenkins, depending on dev team preference. Java is the development language.
如果在拉取请求中的代码的 SonarQube 分析中发现严重或高问题,我的技术主管希望阻止合并拉取请求.所以,我正在寻找一种在拉取请求上触发 SonarQube 扫描的方法,如果它失败(发现严重问题),则不允许合并或发送一些通知.还有希望分支上预先存在的问题不会触发通知(遗留问题不会破坏合并请求).
My Tech Lead would like to prevent a merge of a pull request if there are Critical or High issues found in the SonarQube analysis of code in the pull request. So, I am looking for a way to trigger SonarQube scan on a pull request and if it fails (Critical issue found) the Merge is not allowed to go through or some notification is sent. There is hope also that issue that pre-existed on the branch would not trigger the notification (legacy issues don't break merge requests).
我看到 BitBucket 的插件是拉请求装饰器",但它们缺乏文档(无论如何,开源的都有).
I see plugins for BitBucket that are "pull-request decorators" but they lack documentation (open source ones do, anyway).
推荐答案
绝对适合你的工具是 Bitbucket 声纳.
The tool which is definitely suits your case is Sonar for Bitbucket.
它可以很好地集成到带有 jenkins 和 sonarqube 的构建管道中.另外为了触发您的分析,我建议使用插件 pullrequest-notifier,它允许你对特殊的pullrequest"做出反应.仅限活动 ->当涉及到功能分支的声纳分析时,这可以大大减少您的构建量.
It integrates well into a build pipeline with jenkins and sonarqube. additionally for triggering your analysis i recommend to use the plugin pullrequest-notifier, which allows you to react to special "pullrequest" events only -> this can reduce the amount of your builds heavily when it comes to sonar analysis for feature branches.
只是作为一个完整的信息!Sonarqube 目前不建议对特征分支进行分支分析.因为这将为每个项目和每个分析的分支在 sonarqube 上生成一个单独的项目.Sonar for Bitbucket 会清理这些.
just as an complete information! Sonarqube does not recommend to do branch analysis at the moment for feature branches. As this will generate a seperate project on sonarqube for each project and each analysed branch. Sonar for Bitbucket will clean those up.
未来会有一些变化,这似乎已经在 SonarSource 城市之旅中呈现出来了.当此更改生效时,您将能够在更分支"的环境中进行分析.风格!
In the future there will be a change, which seem to be presented already at the SonarSource City tour. When this change goes live, you will be able to do analyses in a more "branchy" style!
这篇关于拉取请求上的 SonarQube 和 BitBucket 集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
