Skip to main content

Synopsis

Report a SonarQube attestation to an artifact or a trail in a Kosli flow.
Retrieves results for the specified scan from SonarQube Cloud or SonarQube Server and attests them to Kosli. The results are parsed to find the status of the project’s quality gate which is used to determine the attestation’s compliance status. Both branch scans and pull request scans are supported.
The scan to be retrieved can be specified in three ways:
  1. (Default) Using metadata created by the Sonar scanner. By default this is located within a temporary .scannerwork folder in the repo base directory. If you have overriden the location of this folder by passing parameters to the Sonar scanner, or are running Kosli’s CLI locally outside the repo’s base directory, you can provide the correct path using the --sonar-working-dir flag. This metadata is generated by a specific scan, allowing Kosli to retrieve the results of that scan. If there are delays in the scan processing (either because the scanned project is very large, or because SonarQube is experiencing processing delays), it may happen that the scan results are not available by the time the attest sonar command is executed. In this case you can use the --max-wait flag to retry the command while waiting for the scan to be processed. This flag takes the maximum number of seconds to wait for the results to be available. The Kosli CLI will then attempt to retrieve the scan results until the maximum wait time is reached, with exponential backoff between retries. Once the results are available they are attested to Kosli as usual.
  2. Providing the Sonar project key and either the revision or the pull-request ID of the scan (plus the SonarQube server URL if relevant). For branch scans: if running the Kosli CLI in some CI/CD pipeline, the revision is defaulted to the commit SHA. If you are running the command locally, or have overriden the revision in SonarQube via parameters to the Sonar scanner, you can provide the correct revision using the --sonar-revision flag. For pull request scans: provide the pull-request ID using the --pull-request flag instead of the revision. Kosli then finds the scan results for the specified project key and revision or pull-request ID.
  3. Providing the CE task URL directly via --sonar-ce-task-url. The CE task URL can be found in the report-task.txt file generated by the Sonar scanner (the ceTaskUrl field). This is useful in CI/CD environments where the Sonar scanner and the Kosli CLI run in different containers that do not share a filesystem, making the report-task.txt file inaccessible to the CLI.
Note that if your project is very large and you are using SonarQube Cloud’s automatic analysis, it is possible for the attest sonar command to run before the SonarQube Cloud scan is completed. In this case, we recommend using Kosli’s Sonar webhook integration ( docs ) rather than the CLI to attest the scan results. The attestation can be bound to a trail using the trail name. The attestation can be bound to an artifact in two ways:
  • using the artifact’s SHA256 fingerprint which is calculated (based on the --artifact-type flag and the artifact name/path argument) or can be provided directly (with the --fingerprint flag).
  • using the artifact’s name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.

Flags

Flags inherited from parent commands

Live Examples in different CI systems

View an example of the kosli attest sonar command in GitHub.In this YAML file, which created this Kosli Event.

Examples Use Cases

These examples all assume that the flags --api-token, --org, --host, (and --flow, --trail when required), are set/provided.
Last modified on June 18, 2026