Decorating a Pull Request — Jenkins + Bitbucket + SonarQube

This is a comprehensive guide for decorating a Bitbucket pull request with the output of a SonarQube scan completed within Jenkins.

In this guide I am using the following versions:

• Jenkins: 2.249.3
• SonarQube: 8.1 (Developer Edition)
• Bitbucket Server: 7.2.1

Jenkins Configuration

Before we can do any configuration, please make sure your Jenkins instance has the Bitbucket Branch Source Plugin installed.

• Create a new “Multibranch Pipeline”
• In the “Branch Sources” tab select “Add Source”
• Select “Bitbucket”
• Select a server — if you are using a custom Bitbucket Server make sure you add your private server. Jenkins will not be able to find your repository if you use the “Bitbucket Cloud” option. You can add your server on the main Jenkins plugin management page.
• Add your credentials
• Set the owner — the name of the Bitbucket Team, Bitbucket User Account, or Bitbucket Project. (e.g. https://bitbucket.org/testuser/my-project/src/master/)
• Set the repository name — the name of repository to scan (e.g. https://bitbucket.org/testuser/my-project/src/master/)
• At minimum, make sure “Discover pull requests from origin” is defined in the behaviors section — This behavior sends the CHANGE_ID environment variable to our pipeline so we can use it in the SonarQube scan.

Jenkins Multibranch Pipeline Branch Source Behaviors

• Hit “Save”

By now, Jenkins should be scanning your repository for branches, pull requests, and tags. No further Jenkins configuration is needed.

For more information on this configuration see these resources:

• https://docs.sonarqube.org/8.1/analysis/pr-decoration/
• https://www.jenkins.io/doc/book/pipeline/multibranch/

SonarQube

Scan Configuration

For pull request decoration to work you must provide the following keys in your scan:

sonar.pullrequest.key
sonar.pullrequest.branch
sonar.pullrequest.base

Example:

// Define the keys
def prKey = "-Dsonar.pullrequest.key=${env.CHANGE_ID}"
def prBranch = "-Dsonar.pullrequest.branch=${env.CHANGE_BRANCH}"
def prBase = "-Dsonar.pullrequest.base=${env.CHANGE_TARGET}"
// Run the scan
sh "${scannerHome}/bin/sonar-scanner ${prKey} ${prBranch} ${prBase}"

I would not recommend adding these keys to your sonar-project.properties file because each pull request will be different. Allow Jenkins to pass in the params as they are created.

For more information, see here.

Server Configuration

• Navigate to your repositories project
• Under the “administration” tab select “General Settings”

SonarQube Project Administration

• On the left-hand side select “Pull Request Decoration”
• Add your repository details — if you do not have anything for configuration name you can add your server in the SonarQube’s main administration page (Administration > Pull Request Decoration > Bitbucket Server).
• Save those changes

Bitbucket Configuration

This Bitbucket configuration is optional, but if you would like to block the merge of a PR based on your SonarQube Quality Gate do the following:

• Navigate to your repository settings
• Select “Code Insights”
• Requirement: com.sonarsource.sonarqube
• Required status: Must pass
• Annotation requirements: Must not have any annotations

Bitbucket code Insight configuration

• Click “Add”

Add that’s it! Open a new pull request and watch as your PR is decorated with your SonarQube scan output.

SonarQube output