The release of SonarQube 7.1 included an API for Project Badges for public repositories. Allow usage of project badges on private projects is not yet specified or possible.
The Sonar Badge Proxy enables the use of Project Badges with private projects. It provides a reverse proxy to authenticate the call to the SonarQube instance.
URL to access a specific BADGE for a PROJECT:
localhost:4000/$BADGE/$PROJECT
The BADGE path segment does not always match the metric name used with the API.
status → alert_status
bugs → bugs
codesmells → code_smells
coverage → coverage
duplications → duplicated_lines_density
lines → ncloc
maintainability → sqale_rating
reliability → reliability_rating
security → security_rating
techdept → sqale_index
vulnerabilities → vulnerabilities
The port the reverse proxy server starts on
The user token passed as Basic Authorization header
A comma separated list of metrics to expose as BADGE
The host of the SonarQube installation
A secret to create a project access token with
To access metric badges for specific branches,
a branch query parameter can be added to the request.
Access to the badges provided by Sonar Badge Proxy can be restricted.
The token should be provided as a query parameter.
assert token == md5("$PROJECT:$SECRET")
A Dockerfile is provided to build and run a server image
FROM scratch like:
docker build -t sonar-badge-proxy .
docker run --env-file=.env sonar-badge-proxy
The resulting image only contains /etc/ssl/certs/ca-certificates.crt
and the statically linked sonar-badge-proxy binary itself.
If the REMOTE SonarQube instance is using a self signed SSL certificate,
just mount the custom CA certificate to replace the ca_certificates like:
docker run -v /path/to/custom.crt:/etc/ssl/certs/ca-certificates.crt sonar-badge-proxy
Assume a SonarQube project on sonarcloud.io.
To access badges for the bugs and lines metrics for master publicly,
start the proxy as follows:
#!/usr/bin/env bash
export PORT=4000
export REMOTE=sonarcloud.io
export SECRET=012345789abcdef
export METRIC=bugs,lines
./sonar-badge-proxy
The badges can be accessed through an URL like:
localhost:4000/coverage/project?branch=master&token=7d9ccf5d9de733c1f7aded0048739e89
The provided .env file declares a default envirement for all metrics of
public projects on sonarcloud.io, without setting a SECRET, to be used
as follows:
#!/usr/bin/env bash
set -a
. .env
./sonar-badge-proxy
Copyright (C) 2019 tynn
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.