We have started using Gitlab and SonarQube for development in Java.
We have also using pre-commit hook for running sonar-scanner and according to its result we are appending SUCCESS/FAILURE/ERROR string to commit message by commit-msg hook. And accordingly on server side we are using update hook, for deciding whether to accept Push or not w.r.t. commit message.
The loophole in this is if developer deleted client side hooks and append SUCCESS manually. So server cannot assure on client-side hooks.
My question is, is there anyway to guaranty that the sonar-scanner is really triggered or not? OR Any other solution to run sonar-scanner by server-side hook?
OR Any other solution to run sonar-scanner by server-side hook?
You could run it in a pre-receive hook that would checkout the received code and run it there.
The drawback is any push would then take a long time.
My approach is simpler: I accept any push, and I have a Jenkins job regularly running SonarQube on the project, sending an email if there are any issue.
The release management process will check the SonarQube project status and will refuse to proceed if outstanding issues are detected there.