Gitlab code quality: where is the report?

Question

On this project: https://gitlab.com/tyvain/parcoursup/tree/master

I have a code quality stage:

code_quality:
  stage: code_quality
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SOURCE_CODE="$PWD"
        --volume "$PWD":/code
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
  artifacts:
    paths: [gl-code-quality-report.json]

This stage always endup 'passed'. Logs: https://gitlab.com/tyvain/parcoursup/-/jobs/94665791

I doubt that my code is perfect, so there should be some code quality issues somewhere.

Where is the code quality report supposed to be output ?
What is this parameter: "paths: [gl-code-quality-report.json]" ?

Answer 1

This has changed with GitLab 13.6 (November 2020):

Generate HTML reports for Code Quality

Code Quality reports provide you with a variety of information about code quality violations found on the current branch, but they are not in an easily readable format.

Now, this report is available as an .html file so you can more easily see the code quality violations in your project and determine the impact. You can even host the file on GitLab Pages for even easier reviewing!

Thanks for the contribution Vicken Simonian!

See Documentation and Issue.

---

See GitLab 13.11 (April 2021)

Code Quality violations sorted by severity

Running Code Quality scans on your Projects can find dozens to thousands of violations.

In the smaller view of the Merge Request widget, it can be hard to pinpoint the most critical issues to address first as you’re sorting through a large number of code quality violations.

Both the Code Quality Merge Request widget and the Full Code Quality Report now sort violations by Severity so that you can quickly identify the most important Code Quality violations to address.

See Documentation and Issue.

---

GitLab 15.2 (July 2022) adds:

Merge request reports redesign

Merge request reports are an important part of code review, providing insights into the impact of changes and improvements to meet project standards.

Report widgets now all follow design guidelines for layout, hierarchy, and content sections, making them consistent, scannable, and utilitarian. These improvements make it easier for you to find actionable information in each report.

See Documentation and Epic.

---

GitLab 15.6 (November 2022) goes further:

See multiple Code Quality scan reports per pipeline

GitLab Code Quality includes an MR widget, a pipeline report, and MR diff annotations to help you find and fix problems in your code.
Many tools, including code scanners and linters for technical documentation, can output results in Code Quality’s open report format.

Previously, you could only see results from a single scan in the pipeline report and MR diff annotations.
This made it harder to add custom scanning tools to your pipelines.

Now, all of the Code Quality views show results from all report artifacts saved in a pipeline.

This new feature is controlled by a feature flag that is now enabled by default in GitLab.com.
We plan to enable the flag by default in Self-Managed instances in GitLab 15.7.

See Documentation and Issue.

---

GitLab 15.7 (December 2022) adds:

See multiple Code Quality scan reports per pipeline

GitLab Code Quality includes an MR widget, a pipeline report, and MR diff annotations to help you find and fix problems in your code.
Many tools, including code scanners and linters for technical documentation, can output results in Code Quality’s open report format.

Previously, you could only see results from a single scan in the pipeline report and MR diff annotations. This made it harder to add custom scanning tools to your pipelines.

Now, all of the Code Quality views show results from all report artifacts saved in a pipeline.

This new feature was enabled in GitLab.com in GitLab 15.6. The feature flag is now also enabled by default for Self-Managed instances in GitLab 15.7 and newer.

See Documentation and Issue.

And (still 15.7, Dec. 2022):

See multiple findings in Code Quality changes view

We’ve improved GitLab Code Quality to make it easier to see and understand findings on merge requests when you’re reviewing changes. The Changes view on merge requests now supports showing more than one finding on each line, and you can now expand the findings to view them without continuing to hover over them.

This change is now active on GitLab.com. We plan to enable the feature flag by default for Self-Managed instances in GitLab 15.8.

See Documentation and Issue.

Answer 2

The accepted answer should be out of date as of GitLab version 13.2 where the code quality widget was made available to all tiers.

Answer 3

This is old, but adding this here, in case someone else stumbles on it. I found the same issue (success, but no output) and the result was that the test was timing out. There's a default 900 second timeout on the codeclimate engine. The images that codeclimate uses are well over 1.5gb of data, so they take forever to download on a slow connection. When they timeout they return exit code 0, but no reports.

Verified by doing this locally:

docker run \
  --env CODECLIMATE_CODE=/path/to/my/code \
  --env CONTAINER_TIMEOUT_SECONDS=9000 \
  --volume /path/to/my/code:/code \
  --volume /tmp/cc:/tmp/cc \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --env CODECLIMATE_DEBUG=1 "codeclimate/codeclimate:0.83.0" \
  analyze -f json

Adding CONTAINER_TIMEOUT_SECONDS as an environment variable will allow you to surpass this, if timeout is your issue. I haven't gone further on using this in GitLab, as the documentation is lacking, and I only wanted checkstyle, not all the other stuff codequality comes with in GitLab, and the documentation wasn't clear on how to do that.

Answer 4

GitLab parses and displays the results in merge requests. It works by comparing to previous code quality results, so the first time you merge the job into master, you won't see anything. But, it should work on subsequent merge requests.

It's explained in a bit more detail here: Code Quality

Answer 5

2 problems here:

• the report is only available for merge request in 'gitlab EE edition' (not free)
• the report can be downloaded as a json file here: