gitlab-org--gitlab-foss/doc/ci/examples/code_quality.md

---
disqus_identifier: 'https://docs.gitlab.com/ee/ci/examples/code_climate.html'
type: reference, howto
---

# Analyze your project's Code Quality

CAUTION: **Caution:**
The job definition shown below is supported on GitLab 11.11 and later versions.
It also requires the GitLab Runner 11.5 or later.
For earlier versions, use the [previous job definitions](#previous-job-definitions).

This example shows how to run Code Quality on your code by using GitLab CI/CD
and Docker.

First, you need GitLab Runner with
[docker-in-docker executor](../docker/using_docker_build.md#use-docker-in-docker-workflow-with-docker-executor).

Once you set up the Runner, include the CodeQuality template in your CI config:

```yaml
include:
  - template: Code-Quality.gitlab-ci.yml
```

The above example will create a `code_quality` job in your CI/CD pipeline which
will scan your source code for code quality issues. The report will be saved as a
[Code Quality report artifact](../yaml/README.md#artifactsreportscodequality-starter)
that you can later download and analyze.
Due to implementation limitations we always take the latest Code Quality artifact available.

TIP: **Tip:**
For [GitLab Starter][ee] users, this information will be automatically
extracted and shown right in the merge request widget.
[Learn more on Code Quality in merge requests](../../user/project/merge_requests/code_quality.md).

CAUTION: **Caution:**
On self-managed instances, if a malicious actor compromises the Code Quality job
definition they will be able to execute privileged docker commands on the Runner
host. Having proper access control policies mitigates this attack vector by
allowing access only to trusted actors.

## Previous job definitions

CAUTION: **Caution:**
Before GitLab 11.5, Code Quality job and artifact had to be named specifically
to automatically extract report data and show it in the merge request widget.
While these old job definitions are still maintained they have been deprecated
and may be removed in next major release, GitLab 12.0.
You are advised to update your current `.gitlab-ci.yml` configuration to reflect that change.

For GitLab 11.5 and earlier, the job should look like:

```yaml
code_quality:
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SOURCE_CODE="$PWD"
        --volume "$PWD":/code
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
  artifacts:
    reports:
      codequality: gl-code-quality-report.json
```

For GitLab 11.4 and earlier, the job should look like:

```yaml
code_quality:
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SOURCE_CODE="$PWD"
        --volume "$PWD":/code
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
  artifacts:
      paths: [gl-code-quality-report.json]
```

Alternatively the job name could be `codeclimate` or `codequality`
and the artifact name could be `codeclimate.json`.
These names have been deprecated with GitLab 11.0
and may be removed in next major release, GitLab 12.0.

For GitLab 10.3 and earlier, the job should look like:

```yaml
codequality:
  image: docker:latest
  variables:
    DOCKER_DRIVER: overlay
  services:
    - docker:dind
  script:
    - docker pull codeclimate/codeclimate:0.69.0
    - docker run --env CODECLIMATE_CODE="$PWD" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp/cc:/tmp/cc codeclimate/codeclimate:0.69.0 init
    - docker run --env CODECLIMATE_CODE="$PWD" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp/cc:/tmp/cc codeclimate/codeclimate:0.69.0 analyze -f json > codeclimate.json || true
  artifacts:
    paths: [codeclimate.json]
```

[cli]: https://github.com/codeclimate/codeclimate
[ee]: https://about.gitlab.com/pricing/
Doc types on tutorials in top level examples folder, minor edits Variety of edits to conform with SSOT doc style standards 2019-06-11 16:39:26 +00:00			`---`
Replace redirect_from with disqus_identifier in docs Let's use disqus_identifier since this is a more descriptive name. We will need redirect_from for another purpose anyway (Nanoc redirects). 2019-08-07 21:25:18 +00:00			`disqus_identifier: 'https://docs.gitlab.com/ee/ci/examples/code_climate.html'`
Doc types on tutorials in top level examples folder, minor edits Variety of edits to conform with SSOT doc style standards 2019-06-11 16:39:26 +00:00			`type: reference, howto`
			`---`

Rename code climate to code quality 2018-07-10 12:39:55 +00:00			`# Analyze your project's Code Quality`

Document new report types 2018-11-13 16:09:10 +00:00			`CAUTION: Caution:`
Update CodeQuality example docs 2019-04-17 09:25:18 +00:00			`The job definition shown below is supported on GitLab 11.11 and later versions.`
Document new report types 2018-11-13 16:09:10 +00:00			`It also requires the GitLab Runner 11.5 or later.`
			`For earlier versions, use the [previous job definitions](#previous-job-definitions).`

Rename code climate to code quality 2018-07-10 12:39:55 +00:00			`This example shows how to run Code Quality on your code by using GitLab CI/CD`
			`and Docker.`

Document new report types 2018-11-13 16:09:10 +00:00			`First, you need GitLab Runner with`
Update docker title for docker-in-docker workflow `docker-in-docker` is a workflow not an specific executor. It uses the [Docker executor](https://docs.gitlab.com/runner/executors/docker.html). 2019-07-30 08:31:58 +00:00			`[docker-in-docker executor](../docker/using_docker_build.md#use-docker-in-docker-workflow-with-docker-executor).`
Rename code climate to code quality 2018-07-10 12:39:55 +00:00
Update CodeQuality example docs 2019-04-17 09:25:18 +00:00			`Once you set up the Runner, include the CodeQuality template in your CI config:`
Rename code climate to code quality 2018-07-10 12:39:55 +00:00
			```yaml
Update CodeQuality example docs 2019-04-17 09:25:18 +00:00			`include:`
			`- template: Code-Quality.gitlab-ci.yml`
Rename code climate to code quality 2018-07-10 12:39:55 +00:00			```

			The above example will create a `code_quality` job in your CI/CD pipeline which
Document new report types 2018-11-13 16:09:10 +00:00			`will scan your source code for code quality issues. The report will be saved as a`
Docs: Fix link references for artifacts 2019-02-03 22:26:09 +00:00			`[Code Quality report artifact](../yaml/README.md#artifactsreportscodequality-starter)`
Document new report types 2018-11-13 16:09:10 +00:00			`that you can later download and analyze.`
			`Due to implementation limitations we always take the latest Code Quality artifact available.`
Rename code climate to code quality 2018-07-10 12:39:55 +00:00
			`TIP: Tip:`
Document new report types 2018-11-13 16:09:10 +00:00			`For [GitLab Starter][ee] users, this information will be automatically`
			`extracted and shown right in the merge request widget.`
Convert absolute links to relative in /ci docs Fix more links after review Update redirect_from link Apply suggestion to doc/ci/introduction/index.md Apply suggestion to doc/ci/README.md Apply suggestion to doc/ci/README.md Make front matter redirect_from links absolute Change front matter to fix discus comments 2019-06-03 00:28:07 +00:00			`[Learn more on Code Quality in merge requests](../../user/project/merge_requests/code_quality.md).`
Rename code climate to code quality 2018-07-10 12:39:55 +00:00
Document Code Quality potential security flaw 2019-07-26 17:54:00 +00:00			`CAUTION: Caution:`
			`On self-managed instances, if a malicious actor compromises the Code Quality job`
			`definition they will be able to execute privileged docker commands on the Runner`
			`host. Having proper access control policies mitigates this attack vector by`
			`allowing access only to trusted actors.`

Document new report types 2018-11-13 16:09:10 +00:00			`## Previous job definitions`

Rename code climate to code quality 2018-07-10 12:39:55 +00:00			`CAUTION: Caution:`
Document new report types 2018-11-13 16:09:10 +00:00			`Before GitLab 11.5, Code Quality job and artifact had to be named specifically`
			`to automatically extract report data and show it in the merge request widget.`
			`While these old job definitions are still maintained they have been deprecated`
			`and may be removed in next major release, GitLab 12.0.`
			You are advised to update your current `.gitlab-ci.yml` configuration to reflect that change.

Update CodeQuality example docs 2019-04-17 09:25:18 +00:00			`For GitLab 11.5 and earlier, the job should look like:`

			```yaml
			`code_quality:`
			`image: docker:stable`
			`variables:`
			`DOCKER_DRIVER: overlay2`
			`allow_failure: true`
			`services:`
			`- docker:stable-dind`
			`script:`
			`- export SP_VERSION=$(echo "$CI_SERVER_VERSION" \| sed 's/^\([0-9]\)\.\([0-9]\).*/\1-\2-stable/')`
			`- docker run`
			`--env SOURCE_CODE="$PWD"`
			`--volume "$PWD":/code`
			`--volume /var/run/docker.sock:/var/run/docker.sock`
			`"registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code`
			`artifacts:`
			`reports:`
			`codequality: gl-code-quality-report.json`
			```

Document new report types 2018-11-13 16:09:10 +00:00			`For GitLab 11.4 and earlier, the job should look like:`

			```yaml
			`code_quality:`
			`image: docker:stable`
			`variables:`
			`DOCKER_DRIVER: overlay2`
			`allow_failure: true`
			`services:`
			`- docker:stable-dind`
			`script:`
			`- export SP_VERSION=$(echo "$CI_SERVER_VERSION" \| sed 's/^\([0-9]\)\.\([0-9]\).*/\1-\2-stable/')`
			`- docker run`
			`--env SOURCE_CODE="$PWD"`
			`--volume "$PWD":/code`
			`--volume /var/run/docker.sock:/var/run/docker.sock`
			`"registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code`
			`artifacts:`
			`paths: [gl-code-quality-report.json]`
			```

			Alternatively the job name could be `codeclimate` or `codequality`
			and the artifact name could be `codeclimate.json`.
			`These names have been deprecated with GitLab 11.0`
			`and may be removed in next major release, GitLab 12.0.`

			`For GitLab 10.3 and earlier, the job should look like:`

			```yaml
			`codequality:`
			`image: docker:latest`
			`variables:`
			`DOCKER_DRIVER: overlay`
			`services:`
			`- docker:dind`
			`script:`
			`- docker pull codeclimate/codeclimate:0.69.0`
			`- docker run --env CODECLIMATE_CODE="$PWD" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp/cc:/tmp/cc codeclimate/codeclimate:0.69.0 init`
			`- docker run --env CODECLIMATE_CODE="$PWD" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp/cc:/tmp/cc codeclimate/codeclimate:0.69.0 analyze -f json > codeclimate.json \|\| true`
			`artifacts:`
			`paths: [codeclimate.json]`
			```
Rename code climate to code quality 2018-07-10 12:39:55 +00:00
			`[cli]: https://github.com/codeclimate/codeclimate`
			`[ee]: https://about.gitlab.com/pricing/`