Home Explore Blog CI



docker
content/manuals/scout/integrations/code-quality/sonarqube.md
35f2e25dd11c22f9c5b6963e74be08e7cc109f8932acf42e0000000300000d65
---
title: Integrate Docker Scout with SonarQube
linkTitle: SonarQube
description: Evaluate your images with the SonarQube quality gates defined in your projects
keywords: scout, supply chain, integration, code quality
---

The SonarQube integration enables Docker Scout to surface SonarQube quality
gate checks through Policy Evaluation, under a new [SonarQube Quality Gates
Policy](/manuals/scout/policy/_index.md#sonarqube-quality-gates-policy).

## How it works

This integration uses [SonarQube
webhooks](https://docs.sonarsource.com/sonarqube/latest/project-administration/webhooks/)
to notify Docker Scout of when a SonarQube project analysis has completed. When
the webhook is called, Docker Scout receives the analysis results, and stores
them in the database.

When you push a new image to a repository, Docker Scout evaluates the results
of the SonarQube analysis record corresponding to the image. Docker Scout uses
Git provenance metadata on the images, from provenance attestations or an OCI
annotations, to link image repositories with SonarQube analysis results.

> [!NOTE]
>
> Docker Scout doesn't have access to historic SonarQube analysis records. Only
> analysis results recorded after the integration is enabled will be available
> to Docker Scout.

Both self-managed SonarQube instances and SonarCloud are supported.

## Prerequisites

To integrate Docker Scout with SonarQube, ensure that:

- Your image repository is [integrated with Docker Scout](../_index.md#container-registries).
- Your images are built with [provenance attestations](/manuals/build/metadata/attestations/slsa-provenance.md),
  or the `org.opencontainers.image.revision` annotation,
  containing information about the Git repository.

## Enable the SonarQube integration

1. Go to the [SonarQube integrations page](https://scout.docker.com/settings/integrations/sonarqube/)
   on the Docker Scout Dashboard.
2. In the **How to integrate** section, enter a configuration name for this
   integration. Docker Scout uses this label as a display name for the
   integration, and to name the webhook.
3. Select **Next**.
4. Enter the configuration details for your SonarQube instance. Docker Scout
   uses this information to create SonarQube webhook.

   In SonarQube, [generate a new **User token**](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/#generating-a-token).
   The token requires 'Administer' permission on the specified project, or
   global 'Administer' permission.

   Enter the token, your SonarQube URL, and the ID of your SonarQube
   organization. The SonarQube organization is required if you're using
   SonarCloud.

5. Select **Enable configuration**.

   Docker Scout performs a connection test to verify that the provided details
   are correct, and that the token has the necessary permissions.

6. After a successful connection test, you're redirected to the SonarQube
   integration overview, which lists all your SonarQube integrations and their
   statuses.

From the integration overview page, you can go directly to the
**SonarQube Quality Gates Policy**.
This policy will have no results initially. To start seeing evaluation results
for this policy, trigger a new SonarQube analysis of your project and push the
corresponding image to a repository. For more information, refer to the
[policy description](../../policy/_index.md#sonarqube-quality-gates).
Chunks
11a5aadb (1st chunk of `content/manuals/scout/integrations/code-quality/sonarqube.md`)
Title: Integrating Docker Scout with SonarQube
Summary
This document explains how to integrate Docker Scout with SonarQube to surface code quality gate checks through Policy Evaluation. It details the integration process, which involves using SonarQube webhooks to notify Docker Scout of project analysis completions. Docker Scout then links image repositories with SonarQube analysis results using Git provenance metadata. The guide outlines prerequisites, such as integrating the image repository with Docker Scout and building images with provenance attestations. It provides step-by-step instructions on enabling the integration via the Docker Scout Dashboard, including configuring the connection, providing a SonarQube user token with 'Administer' permissions, and testing the connection. Once enabled, users can trigger new SonarQube analyses and push corresponding images to view evaluation results.