How to integrate SonarQube with GitLab CICD Pipeline | SonarQube Integration with GitLab CICD | Automate Code Scan using SonarQube In GitLab CICD

 Please find steps for integrating SonarQube with GitLab CICD

Pre-requisites:

• Make sure SonarQube is up and running
• Make sure Java Project is setup in GitLab

How to integrate SonarQube with GitLab CICD:

We will be following below steps:

• Create Token in SonarQube to authenticate with GitLab
• Add Sonar Token, SonarQube URL as Secrets in GitLab
• Create GitLab CICD yaml
• Add tasks for Maven build and Sonar Scan
• Verify scan report in SonarQube

Create Token in SonarQube to authenticate with GitLab

You need to login to SonarQube using your admin password and click on Admin on your top side.

Click on My Account, Security. 

Under Tokens, Give some value for token name and choose global analysis token, click on generate Tokens. Copy the token value generated.

Add Sonar Token and Sonar Host URLs as Secret in GitLab

Go to your GitLab Repo --> Click on Settings --> CICD --> Variables

Click new Repository Secret

Add another variable for storing Sonar token

Create GitLab CICD workflow yaml:

Go to GitLab repo where your Java project is, create a new file:.gitlab-ci.yml

The below file have three stages:

    - build

    - sonar

    - deploy

Create .gitlab-ci.yml CICD Pipeline:

stages:

  - build

  - sonar

  - deploy

build_war:

  stage: build

  image: maven:3.8.6-eclipse-temurin-11

  script:

    - echo "Building WAR file using Maven"

    - mvn clean install -f MyWebApp/pom.xml

    - echo "Listing target directory"

    - ls -la MyWebApp/target

  artifacts:

    paths:

      - MyWebApp/target/*.war

    expire_in: 1 hour

sonarqube_scan:

  stage: sonar

  image: maven:3.9.6-eclipse-temurin-17

  script:

    - |

      mvn sonar:sonar \

        -f MyWebApp/pom.xml \

        -Dsonar.projectKey=MyWebApp \

        -Dsonar.host.url="${SONAR_HOST_URL}" \

        -Dsonar.token="${SONAR_TOKEN}"

      

deploy_to_tomcat:

  stage: deploy

  image: curlimages/curl:latest

  dependencies:

    - build_war

  script:

    - echo "Deploying WAR file to Tomcat running on AWS EC2"

    - |

      curl -v -u ${TOMCAT_USER}:${TOMCAT_PASSWORD} \

      -T MyWebApp/target/MyWebApp.war \

      "http://${TOMCAT_HOST}/manager/text/deploy?path=/MyWebApp&update=true"

Commit the file.

As soon as you commit, build will run immediately in GitLab CICD. 

Now you can see the output of build in Actions tab.

Now login to SonarQube to see the Scan report

How to Implement CICD Pipeline using GitLab Yaml | GitLab CICD Tutorials | GitLab CICD Pipeline | Build Java WAR file using GitLab CICD YAML file

Here below is the code for creating GitLab CICD yaml file for Java Web App project to automate build and deployment. 

What is GitLab CICD?

GitLab CI/CD is a continuous integration and continuous deployment solution built into GitLab.

GitLab CI/CD

GitLab CI/CD is a feature of GitLab that automates:

• Building code
• Testing applications
• Scanning code
• Deploying applications

whenever developers push code into Git repositories.

What is .gitlab-ci.yml?

The .gitlab-ci.yml file is the heart of GitLab CI/CD pipelines.

It contains:

• Pipeline stages
• Jobs
• Scripts
• Variables
• Artifacts
• Deployment instructions

GitLab automatically reads this file whenever code changes are pushed into the repository. GitLab Runner uses a Docker container image to run the job. 

Pre-requisites:

• Setup Java Project in GitLab
• Tomcat is setup
• Tomcat credentials configured 

.gitlab-ci.yml for implementing CICD using GitLab

stages:

  - build

  - deploy

build_war:

  stage: build

  image: maven:3.8.6-eclipse-temurin-11

  script:

    - echo "Building WAR file using Maven"

    - mvn clean install -f MyWebApp/pom.xml

    - echo "Listing target directory"

    - ls -la MyWebApp/target

  artifacts:

    paths:

      - MyWebApp/target/*.war

    expire_in: 1 hour

deploy_to_tomcat:

  stage: deploy

  image: curlimages/curl:latest

  dependencies:

    - build_war

  script:

    - echo "Deploying WAR file to Tomcat running on AWS EC2"

    - |

      curl -v -u ${TOMCAT_USER}:${TOMCAT_PASSWORD} \

      -T MyWebApp/target/MyWebApp.war \

      "http://${TOMCAT_HOST}/manager/text/deploy?path=/MyWebApp&update=true"

Complete DevSecOps Learning Roadmap for 2026 to become a DevSecOps Engineer | Top DevSecOps Skills for 2026 | Skills required to become a DevSecOps engineer | DevSecOps Learning RoadMap for 2026

Complete DevSecOps Roadmap

We all know how DevOps is trending right now. And we know where it is going. Let's get to know what skills will make you a successful a DevOps engineer.

Top DevOps skills

1. Linux knowledge and scripting - basic troubleshooting and scripting and looking at the logs

2. Experience in Git, GitHub, GitLab, Bitbucket, Azure Repos or any source code management tools.

3. Experience in CI tools such as Jenkins, GitHub Actions, GitLab CICD, Azure DevOps

4. Experience in Code quality tool/security scanning tools - SonarQube, AquaSec Trivy, Checkov

5. Experience in Infrastructure automation tools such as Terraform, AWS cloud formation

6. Experience in Configuration Management tools such as Ansible, Puppet or Chef

7. Experience in scripting languages such as YAML, groovy, Ruby, Python and Shell

8. Experience in containers such as Docker, Kubernetes and Helm

9. Experience in Monitoring tools such as Prometheus, Grafana

10. Ability to troubleshoot in case builds, deployments failure.

11. Any cloud knowledge and experience - AWS, Azure and Google cloud

Soft skills employers are looking:

These days employers are not only looking for strong technical skills but also looking "soft skills" which are essentials to become successful in IT. If you think if you are lagging on any of these skills, no worries. All these skills can be developed and improved over period of time by practicing.

• Open minded
• Willingness to learn new skills
• Communication
• Approachable
• "Get it done" attitude
• Being adaptable

How to Setup AquaSec Trivy Vulnerability Scanner | How to install AquaSec Trivy Scanner on Linux OS | Jenkins Pipeline For Scanning MyWebApp | DevSecOps Tutorials

 What is Trivy?

• open-source security scanner tool developed by Aqua Security. 
• Used for vulnerability scanning in such as 
• container images 
• file systems/folders 
• Git repositories
• Kubernetes clusters
• misconfiguration in files such as Terraform, K8S manifest files
• Trivy helps identify security issues and misconfigurations early in the software development lifecycle.

Pre-requisites:

• Any Linux instance is up and running, in our case we will use Jenkins Ubuntu machine

How to Install Trivy scanner on Jenkins Ubuntu EC2 instance?

Trivy scanner can be installed so many ways. Check here for more information. But we will be using APT package manager to install on Ubuntu EC2.

sudo apt-get install wget gnupg -y

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null 

echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list 

sudo apt-get update 

sudo apt-get install trivy -y

Check Trivy got installed

trivy --version

This confirm that Trivy got installed successfully.

Jenkins Pipeline 

pipeline {

    agent any

    tools {

        maven 'Maven3'

    }

    stages {

        stage('Checkout') {

            steps {

                git branch: 'main', credentialsId: '', url: 'https://github.com/akannan1087/myApr2026WeekendRepo'

            }

        }

        

        stage ("build") {

            steps {

                echo "doing my build.."

                sh "mvn clean install -f MyWebApp/pom.xml"

            }

        }

    stage ("code coverage") {

        steps {

         jacoco()

        }

    }

    

    stage ("code scan") {

        steps {

        withSonarQubeEnv('SonarQube') {

            sh "mvn sonar:sonar -f MyWebApp/pom.xml"

        }

     }

    }

    

    stage ("security scan") {

        steps {

         sh "trivy fs ."

        }

    }

 }

}

Watch video in my YouTube channel:

Master DevSecOps and Multi Cloud Computing Course by Coach AK | DevSecOps and Cloud Computing Online Classes | June 2026 Schedule

Live DevSecOps Hands-On Bootcamp - June 2026

🚀 Supercharge your DevOps career with real-world skills!

🔥 What You’ll Learn

👉 Master leading DevSecOps tools & cloud platforms including:
✔ Git, GitHub, Bitbucket, Azure Repos
✔ Jenkins, GitHub Actions, Azure DevOps
✔ SonarQube, Trivy, Nexus, Slack
✔ Terraform, Ansible
✔ Docker & Kubernetes 
✔ Helm, Prometheus & more!

🌐 AWS & Azure Multi-Cloud Training Included!

---

🧠 Real-World, Practical Training

✔ 100% Hands-On Projects
✔ Live Interactive Sessions
✔ Career Support: Resume + Interview Prep
✔ Build Recruiter-Ready Skills!

---

📅 Schedule Options

📍 Weekend Batch
🗓 Starts June 6th, 2026
🕤 Sat –   09:45 AM to 11:30 AM CST
🕥 Sun – 10:30 AM to 12:30 PM CST

📍 Weekday Evening Batch
🗓 Starts June 8th, 2026
🕕 Mondays & Wednesdays – 6:00 PM to 8:00 PM CST

🌎 Online using zoom!

---

📌 Why Join This Bootcamp?

✅ Fully hands on coaching
✅ Industry-Relevant Projects
✅ Expert Coaching by Coach AK
✅ Flexible Schedules for Working Pros
✅ Multi-Cloud + Security Focus
✅ Networking & Career Growth Support

---

📞 Register Now – Spots Are Limited!

📱 Please contact coach AK on +1 (469) 733-5248 (WhatsApp Available)
📧 devops.coaching@gmail.com

➡ Early Bird Discounts Available!

---

🚀 Take the Next Step in Your DevOps Career!

💡 Learn with confidence. Build with purpose. Get hired faster.

Master DevSecOps and Multi Cloud Computing Course by Coach AK | DevSecOps and Cloud Computing Online Classes | May 2026 Schedule

  Live Hands-On Bootcamp - June 2026

🚀 Supercharge your DevOps career with real-world skills!

🔥 What You’ll Learn

👉 Master leading DevSecOps tools & cloud platforms including:
✔ Git, GitHub, Bitbucket, Azure Repos
✔ Jenkins, GitHub Actions, Azure DevOps
✔ SonarQube, Trivy, Nexus, Slack
✔ Terraform, Ansible
✔ Docker & Kubernetes 
✔ Helm, Prometheus & more!

🌐 AWS & Azure Multi-Cloud Training Included!

---

🧠 Real-World, Practical Training

✔ 100% Hands-On Projects
✔ Live Interactive Sessions
✔ Career Support: Resume + Interview Prep
✔ Build Recruiter-Ready Skills!

---

📅 Schedule Options

📍 Weekend Batch
🗓 Starts June 6th, 2026
🕤 Sat – 09:45 AM to 11:30 AM CST
🕥 Sun – 10:30 AM to 12:30 PM CST

📍 Weekday Evening Batch
🗓 Starts June 8th, 2026
🕕 Mondays & Wednesdays – 6:00 PM to 8:00 PM CST

🌎 Online – Learn From Anywhere!

---

📌 Why Join This Bootcamp?

✅ Fully hands on coaching
✅ Industry-Relevant Projects
✅ Expert Coaching by Coach AK
✅ Flexible Schedules for Working Pros
✅ Multi-Cloud + Security Focus
✅ Networking & Career Growth Support

---

📞 Register Now – Spots Are Limited!

📱 +1 (469) 733-5248 (WhatsApp Available)
📧 devops.coaching@gmail.com

➡ Early Bird Discounts Available!

---

🚀 Take the Next Step in Your DevOps Career!

💡 Learn with confidence. Build with purpose. Get hired faster.