Synopsis
Retrieves results for the specified scan from SonarQube Cloud or SonarQube Server and attests them to Kosli. The results are parsed to find the status of the project’s quality gate which is used to determine the attestation’s compliance status. Both branch scans and pull request scans are supported. The scan to be retrieved can be specified in three ways:
-
(Default) Using metadata created by the Sonar scanner. By default this is located within a temporary
.scannerworkfolder in the repo base directory. If you have overriden the location of this folder by passing parameters to the Sonar scanner, or are running Kosli’s CLI locally outside the repo’s base directory, you can provide the correct path using the--sonar-working-dirflag. This metadata is generated by a specific scan, allowing Kosli to retrieve the results of that scan. If there are delays in the scan processing (either because the scanned project is very large, or because SonarQube is experiencing processing delays), it may happen that the scan results are not available by the time the attest sonar command is executed. In this case you can use the--max-waitflag to retry the command while waiting for the scan to be processed. This flag takes the maximum number of seconds to wait for the results to be available. The Kosli CLI will then attempt to retrieve the scan results until the maximum wait time is reached, with exponential backoff between retries. Once the results are available they are attested to Kosli as usual. -
Providing the Sonar project key and either the revision or the pull-request ID of the scan (plus the SonarQube server URL if relevant).
For branch scans: if running the Kosli CLI in some CI/CD pipeline, the revision is defaulted to the commit SHA. If you are running the command locally,
or have overriden the revision in SonarQube via parameters to the Sonar scanner, you can provide the correct revision using the
--sonar-revisionflag. For pull request scans: provide the pull-request ID using the--pull-requestflag instead of the revision. Kosli then finds the scan results for the specified project key and revision or pull-request ID. -
Providing the CE task URL directly via
--sonar-ce-task-url. The CE task URL can be found in thereport-task.txtfile generated by the Sonar scanner (theceTaskUrlfield). This is useful in CI/CD environments where the Sonar scanner and the Kosli CLI run in different containers that do not share a filesystem, making thereport-task.txtfile inaccessible to the CLI.
- using the artifact’s SHA256 fingerprint which is calculated (based on the
--artifact-typeflag and the artifact name/path argument) or can be provided directly (with the--fingerprintflag). - using the artifact’s name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.
Flags
Flags inherited from parent commands
Live Examples in different CI systems
- GitHub
kosli attest sonar command in GitHub.In this YAML file, which created this Kosli Event.Examples Use Cases
These examples all assume that the flags--api-token, --org, --host, (and --flow, --trail when required), are set/provided.
report a SonarQube Cloud attestation about a trail using SonarQube's metadata, with no retries
report a SonarQube Cloud attestation about a trail using SonarQube's metadata, with no retries
report a SonarQube Server attestation about a trail using SonarQube's metadata, waiting for up to 60 seconds for the results to be available
report a SonarQube Server attestation about a trail using SonarQube's metadata, waiting for up to 60 seconds for the results to be available
report a SonarQube Cloud attestation about a trail using key/revision
report a SonarQube Cloud attestation about a trail using key/revision
report a SonarQube Server attestation about a trail using key/revision
report a SonarQube Server attestation about a trail using key/revision
report a SonarQube Cloud attestation about a trail for a pull request scan using key/pull-request
report a SonarQube Cloud attestation about a trail for a pull request scan using key/pull-request
report a SonarQube Cloud attestation about a trail with an attachment using SonarQube's metadata, waiting for up to 300 seconds for the results to be available
report a SonarQube Cloud attestation about a trail with an attachment using SonarQube's metadata, waiting for up to 300 seconds for the results to be available
report a SonarQube attestation using the CE task URL directly (useful when report-task.txt is not accessible)
report a SonarQube attestation using the CE task URL directly (useful when report-task.txt is not accessible)