diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 964799100f5f091c3cdd67e1523bdf8e6e30bfc1..72d8dcde5c67b2afb572c40f2e034d6266dea8f5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,10 +1,15 @@
stages:
- build
-- quality
-
+- build-sonar
+- sonarqube-vulnerability-report
- documentation
+image:
+ name: leadrien/isc-sonar-scanner-cli:latest
+
variables:
+ SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
+ GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
default:
image: node:lts-slim
@@ -18,4 +23,38 @@ build:
script: npm run build
artifacts:
paths:
- - dist
\ No newline at end of file
+ - dist
+
+build-sonar:
+ stage: build-sonar
+
+ cache:
+ policy: pull-push
+ key: "sonar-cache-$CI_COMMIT_REF_SLUG"
+ paths:
+ - "${SONAR_USER_HOME}/cache"
+ - sonar-scanner/
+
+ script:
+ - sonar-scanner -Dsonar.host.url="${SONAR_HOST_URL}"
+ allow_failure: true
+ rules:
+ - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+ - if: $CI_COMMIT_BRANCH == 'master'
+ - if: $CI_COMMIT_BRANCH == 'main'
+ - if: $CI_COMMIT_BRANCH == 'develop'
+
+sonarqube-vulnerability-report:
+ stage: sonarqube-vulnerability-report
+ script:
+ - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=folly-breakout&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'
+ allow_failure: true
+ rules:
+ - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+ - if: $CI_COMMIT_BRANCH == 'master'
+ - if: $CI_COMMIT_BRANCH == 'main'
+ - if: $CI_COMMIT_BRANCH == 'develop'
+ artifacts:
+ expire_in: 1 day
+ reports:
+ sast: gl-sast-sonar-report.json
\ No newline at end of file
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 0000000000000000000000000000000000000000..8e833fb60a5723709ea2f7bc68f3da7bf31ddc83
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,2 @@
+sonar.projectKey=folly-breakout
+sonar.qualitygate.wait=true