Interview › Security & DevSecOps
How do you integrate SonarQube into a Jenkins or GitHub pipeline? [Basic]
Answer
I integrate SonarQube by adding a scanner step to CI, passing project metadata and coverage reports, then waiting for the quality gate result. In Jenkins this commonly uses withSonarQubeEnv and waitForQualityGate; in GitHub Actions it uses a scanner action or Maven/Gradle task plus branch protection.
Technical explanation
The scanner should run after compilation/tests when coverage and test reports are available.
Authentication should use a scoped token stored in the CI secret manager, not hardcoded credentials.
The pull request should be protected so failing analysis prevents merge.
Hands-on example
GitHub Actions sketch:
- uses: actions/checkout@v4
- run: mvn -B verify sonar:sonar -Dsonar.projectKey=checkout
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Then require the SonarQube quality-gate status check before merging to main.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]