-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how to use SonarCloud in place of the self hosted SonarQube Server image #15
Comments
@wenzowski, Here you go. @ShellyXueHan, Alec asked me to tag you so the two of you could document the process more completely. Thanks |
Ideally if @ShellyXueHan has time, we can screenshot the process and commit here. However, we still need to confirm if the additional administrative burden of SonarCloud use is acceptable. As a result, I expect to resolve this ticket by either creating docs as requested or by migration of CAS projects away from SonarCloud as it is currently only transitionally deployed. |
@wenzowski just to remind us that a journey (with pros and cons) is also included in the doc. |
revisiting this ticket @wenzowski |
I was thinking of taking this opportunity to give sonarcloud-circleci-orb a spin as well. This will give me a chance to try pulling the CLI directly into a python/java base image. If that works well then we might be able to get away with hosting the various cli zip file versions on arifactory and not maintaining a whole bunch of jenkins slave images. |
(oh yes, we already tried the same approach but using gradle) |
Just did this. Here are the steps:
Example:
If you want to invoke the scan manually, you'll need a sonar cloud token. |
Use of a scan image rather than the |
@rstens, @wenzowski , Any chance you guys can formalize this documentation in a section or two of the main ReadMe and submit a PR? |
Done my piece, over to others. See readme. |
Thanks. Reviewed. Asked @wenzowski if he'd like to add anything. |
commented #21 |
If ZAP were part of our STRA I think our team would be empowered to put more resources here. As it stands, our STRA requires a manual scan and thus this ticket and the coupled exploration of how a full ZAP scan might meet security needs has been relegated to "nice-to-have" status: possibly valuable in future but not urgent and of minimal impact as we prepare for our first release deadline. As a result, our team has continued to use the Automatic Analysis feature provided by SonarCloud and has not yet completed exploration of |
SonarCloud and SonarQube Server are essentially the same. Project teams that are not bound to using a private instance of SonarQube Server are encouraged to use SonarCloud due to the reduction in administration overhead (upgrades, updates, etc).
Add a section describing the steps a team must take in order to use SonarCloud in place of SonarQube Server.
Recommend placing this section near the top above the SonarQube Server section.
The text was updated successfully, but these errors were encountered: