SonarQube integration overview

Sonar scans that are configured on GitHub Actions, Jenkins, and Azure DevOps pipelines are supported in DevOps Change Velocity. Both SonarCloud and SonarQube (on-premises) are supported.

You can view the code quality and code security summary results either in the related list of a Change Request or the Task Execution of the pipeline in your ServiceNow instance. You can also use code quality and code security results in defining change policies and conditions for change automation.

DevOps Change Velocity captures both overall and new code metrics.

Get started

On the SonarQube side, the following permissions are required.

Admin PAT

Project-level access to your SonarQube instance to configure scans for all your projects.

Non-admin PAT

• Browse permission for GitHub, GitLab, and Azure DevOps pipelines, and Execute Analysis permission for Jenkins for the projects (both private and public) on which the scan is run.
• A branch must be created in SonarQube before a non-admin user retrieves data into ServiceNow. For more information, see Branch Analysis.
  Note:

  You can set up branch analysis to enable SonarCloud to analyze branches in your projects apart from the main branch. You can’t set up or perform branch analysis on SonarQube community edition licenses. Upgrade to SonarQube Developer or Enterprise editions to set up branch analysis on SonarQube on-premises implementations.

Sonar custom action and extension are available in the GitHub and Azure DevOps marketplace respectively. For Jenkins, the Sonar scan results are retrieved using ServiceNow Jenkins plugin.

For more information on the scan results captured in ServiceNow, see Software Quality Results.

Use one of the following options to onboard SonarQube. For a guided experience, use the workspace to onboard a tool. Alternatively, you can use the Service Catalog or Classic experience.