kosli-dev · ToreMerkely · Sep 26, 2024 · Sep 5, 2024 · Sep 26, 2024 · Sep 26, 2024
diff --git a/cmd/kosli/attestSonar.go b/cmd/kosli/attestSonar.go
@@ -34,12 +34,15 @@ Retrieves results for the specified scan from SonarCloud or SonarQube and attest
 The results are parsed to find the status of the project's quality gate which is used to determine the attestation's compliance status.
 
 The scan to be retrieved can be specified in two ways:
-1. Using metadata created by the Sonar scanner. By default this is located within a temporary .scannerwork folder in the repo base directory.
+1. (Default) Using metadata created by the Sonar scanner. By default this is located within a temporary .scannerwork folder in the repo base directory.
 If you have overriden the location of this folder by passing parameters to the Sonar scanner, or are running Kosli's CLI locally outside the repo's base directory,
 you can provide the correct path using the --sonar-working-dir flag. This metadata is generated by a specific scan, allowing Kosli to retrieve the results of that scan.
 2. Providing the Sonar project key and the revision of the scan (plus the SonarQube server URL if relevant). If running the Kosli CLI in some CI/CD pipeline, the revision
 is defaulted to the commit SHA. If you are running the command locally, or have overriden the revision in SonarCloud/SonarQube via parameters to the Sonar scanner, you can
 provide the correct revision using the --sonar-revision flag. Kosli then finds the scan results for the specified project key and revision.
+
+Note that if your project is very large and you are using SonarCloud's automatic analysis, it is possible for the attest sonar command to run before the SonarCloud scan is completed.
+In this case, we recommend using Kosli's Sonar webhook integration ( https://docs.kosli.com/integrations/sonar/ ) rather than the CLI to attest the scan results.
 ` + attestationBindingDesc
 
 const attestSonarExample = `

diff --git a/docs.kosli.com/content/integrations/sonar.md b/docs.kosli.com/content/integrations/sonar.md
@@ -68,7 +68,7 @@ $ sonar scanner \
 ```
 
 
-### Possible scanner parameters:
+### Scanner parameters:
 - `sonar.analysis.kosli_flow=<YourFlowName>`
     - The name of the Flow relevant to your project. If a Flow does not already exist with the given name, it is created. If no Flow name is provided, the project key of your project in SonarCloud/SonarQube is used as the name (with any invalid symbols replaced by '-').
 - `sonar.analysis.kosli_trail=<YourTrailName>`
@@ -87,5 +87,11 @@ $ sonar scanner \
 To test the webhook once configured, simply scan a project in SonarCloud or SonarQube. If successful, the results of the scan will be attested to the relevant Flow and Trail (and artifact, if applicable) as a sonar attestation. <br>
 If the webhook fails, check that you have passed the parameters to the scanner correctly, and that the trail name, attestation name and artifact fingerprint are valid.
 
+## Live Example in CI system
+View an example of a sonar attestation via webhook in Github.
+
+In [this YAML file](https://app.kosli.com/api/v2/livedocs/cyber-dojo/yaml?ci=github&command=-Dsonar.analysis.kosli_flow), which created [this Kosli event](https://app.kosli.com/api/v2/livedocs/cyber-dojo/event?ci=github&command=-Dsonar.analysis.kosli_flow). 
+
+
 ## Alternatives:
 If you'd rather not use webhooks, or they don't quite fit your use-case, we also have a [CLI command](/client_reference/kosli_attest_sonar/) for attesting Sonar scan results to Kosli.