SonarQube和BitBucket在拉取请求上的集成 [英] SonarQube and BitBucket Integration on Pull Request
问题描述
我是BitBucket的新手,并且继承了一个项目,现在尝试加快速度并完成代码.我们有一个使用BitBucket作为SCM,使用SonarQube作为我们的静态分析引擎以及使用Maven或Jenkins的DevSecOps管道,具体取决于开发团队的偏好. Java是开发语言.
I am new to BitBucket and have inherited a project, now trying to get up to speed and code-complete. We have a DevSecOps pipeline using BitBucket as SCM, SonarQube as our static analysis engine and either Maven or Jenkins, depending on dev team preference. Java is the development language.
如果在SonarQube分析请求中的代码的SonarQube分析中发现严重或严重问题,我的技术主管将阻止合并请求.因此,我正在寻找一种对拉取请求触发SonarQube扫描的方法,如果它失败(发现严重问题),则不允许进行合并或发送某些通知.还希望分支中预先存在的问题不会触发通知(旧版问题不会破坏合并请求).
My Tech Lead would like to prevent a merge of a pull request if there are Critical or High issues found in the SonarQube analysis of code in the pull request. So, I am looking for a way to trigger SonarQube scan on a pull request and if it fails (Critical issue found) the Merge is not allowed to go through or some notification is sent. There is hope also that issue that pre-existed on the branch would not trigger the notification (legacy issues don't break merge requests).
我看到BitBucket的插件是拉式请求装饰器",但它们缺少文档(无论如何,开源文档都可以).
I see plugins for BitBucket that are "pull-request decorators" but they lack documentation (open source ones do, anyway).
推荐答案
The tool which is definitely suits your case is Sonar for Bitbucket.
它与jenkins和sonarqube很好地集成到了构建管道中.另外,为了触发您的分析,我建议使用插件 pullrequest-notifier ,它仅允许您对特殊的拉动请求"事件做出反应->在进行特征分支的声纳分析时,这可以大大减少构建量.
It integrates well into a build pipeline with jenkins and sonarqube. additionally for triggering your analysis i recommend to use the plugin pullrequest-notifier, which allows you to react to special "pullrequest" events only -> this can reduce the amount of your builds heavily when it comes to sonar analysis for feature branches.
仅作为完整的信息! Sonarqube目前不建议对特征分支进行分支分析.因为这将为每个项目和每个分析的分支在声纳上生成一个单独的项目. Bitbucket的Sonar会清理这些.
just as an complete information! Sonarqube does not recommend to do branch analysis at the moment for feature branches. As this will generate a seperate project on sonarqube for each project and each analysed branch. Sonar for Bitbucket will clean those up.
将来会有所变化,似乎已经在SonarSource City巡回演出中介绍过.当此更改生效时,您将能够以更简陋"的风格进行分析!
In the future there will be a change, which seem to be presented already at the SonarSource City tour. When this change goes live, you will be able to do analyses in a more "branchy" style!
这篇关于SonarQube和BitBucket在拉取请求上的集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
