SonarQube Pull Request Decoration with GitLab

Jochen Holzer
3 min readNov 30, 2021

Reviewing pull requests is one of the daily (sometimes tiresome) tasks of software developers. Parts of the review can be automated so that the reviewer can concentrate on the essentials such as architecture and business logic.

Learn how your team can save review time with SonarQube Pull Request Decoration.

TL; TR — Preview

The following screens show SonarQube Pull Request Decoration in GitLab.

SonarQube Pull Request Decoration — Source Code Analysis failed.
Screen #1: SonarQube Pull Request Decoration. Quality Gate failed because there is too much code duplication.
Screen #2: SonarQube Pull Request Decoration. Quality Gate passed.
Screen #3: SonarQube Pull Request Decoration in GitLab. Quality Gate passed — but there are some code smells.
Screen #4: Details on the Code Smells in Screen #3 on the SonarQube page.

Read on if you’re interested in how it works.

What SonarQube can do for you

SonarQube scans your source code (20+ programming languages, including Swift — i used it for the quality assurance of an iOS project) and provides results for Reliability, Security and Maintainability. For details see here.

A Quality Gate is defined which defines the code standards (e.g. 90% test coverage, max 3% code duplication, 0 bugs and max 3 code smells).
If the code in the pull request does not meet the requirements from the Quality Gate, the Quality Gate is shown as failed in GitLab (you can decide during the setup in GitLab whether in this case the pipeline in GitLab should also be regarded as failed).


You need GitLab (11.7 or better) or GitLab self hosted and SonarQube Developer Editon (or better).

GitHub, GitHub Enterprise, Bitbucket Server and Azure DevOps Server are also supported.

Setup sonar-scanner

To configure the sonar scanner you have to create a file called in the root directory of your project — heres an example (See here for the configuration documentation and here to copy the files content):

To run sonar locally (so that you can validate your file) the sonar-scanner must be installed on your machine.

On the mac you can do this with homebrew:

brew install sonar-scanner

For installation instructions on other platforms see here.

After installing sonar-scanner you can start it on the command line (make sure the sonar.login parameter is set properly in the or pass it as property):

sonar-scanner -Dsonar.login=your_login_token

If your properties file is valid the output should look something like this:

Setup GitLab

To activate sonarqube in your GitLab pull requests you have to add a section to your .gitlab-ci.yml — heres an example (heres the gist to copy the config):

Example for sonarqube section in .gitlab-ci.yml

With that you have laid the foundations. Follow the instructions on the Sonarqube documentation for more details on GitLab/Sonarqube integration.

If the Sonarqube integration works follow these instructions to set up Pull Request Decoration in GitLab.

So long, and thanks for all the fish

Thanks for reading. Perhaps SonarQube Pull Request Decoration will also help your team to produce clean and maintainable code and save some time reviewing the pull requests.

If you are interested in further automatic quality assurance measures in Pull Request, take a look at my article Automatic Quality Assurance Measures for iOS Projects with Fastlane, Danger and GitLab.

Credits & Links

SonarQube Documentation:
Credits for featured image:



Jochen Holzer

"Seasoned (iOS) Engineer. Expert in the Apple Universe, Mobile DevOps and App Maintenance.