This SonarSource project, available as a CodeCatalyst Action, scans your projects with SonarQube Cloud, and helps developers produce Clean Code.
SonarQube Cloud is a widely used static analysis solution for continuous code quality and security inspection. It helps developers identify and fix issues in their code that could lead to bugs, vulnerabilities, or decreased development velocity. SonarQube Cloud supports the most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and many more.
- Create your account on SonarQube Cloud. Sign up for free now if it's not already the case! SonarQube Cloud Sign up
- The repository to analyze is set up on SonarQube Cloud. Set it up in just one click.
Project metadata, including the location of the sources to be analyzed, must be declared in the file sonar-project.properties in the base directory:
sonar.organization=<replace with your SonarQube Cloud organization key>
sonar.projectKey=<replace with the key generated when setting up the project on SonarQube Cloud>
# This is the name and version displayed in the SonarQube Cloud UI.
#sonar.projectName=windows-msbuild-gh-actions-sq
#sonar.projectVersion=1.0
sonar.exclusions=venv/**
# relative paths to source directories. More details and properties are described
# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/
sonar.sources=.
# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8The workflow, usually declared in .codecatalyst/workflows/build.yaml, looks like:
Name: SonarCloudAnalysis
SchemaVersion: "1.0"
# Optional - Set automatic triggers.
Triggers:
- Type: Push
# Required - Define action configurations.
Actions:
SonarCloudScanAction:
# Identifies the action. Do not modify this value.
Identifier: sonar/sonarcloud-scan@v1.0.0
# Specifies the source and/or artifacts to pass to the action as input.
Inputs:
# Required
Sources:
- WorkflowSource # This specifies that the action requires this Workflow as a source
Compute:
Type: EC2
# Defines the action's properties.
Configuration:
SonarToken: ${Secrets.SONAR_TOKEN}When your workflow runs, the SonarQube Cloud Scan will execute and send analysis results to SonarQube Cloud.
SonarToken– Required This is the token used to authenticate access to SonarQube Cloud. You can generate a token on your Security page in SonarQube Cloud. You can set theSONAR_TOKENenvironment variable in the "Secrets" settings page of your repository.SonarOrganization– Optional The key of the SonarQube Cloud organization to which the project belongs. If not provided, the organization key will be read from thesonar-project.propertiesfile.SonarProjectKey– Optional The key of the project on SonarQube Cloud. If not provided, the project key will be read from thesonar-project.propertiesfile.SonarBranchName– Optional The name of the branch being analyzed.SonarProjectBaseDir– Optional The base directory of the project to analyze. If not provided, the base directory will be the root of the repository.`SonarAdditionalArgs– Optional Additional arguments to pass to the SonarScanner CLI. For example,-Dsonar.verbose=trueto enable verbose logging.
- Your code is built with Maven: run 'org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922:sonar' during the build (more info in the SonarScanner for Maven documentation)
- Your code is built with Gradle: use the SonarScanner for Gradle during the build
- You want to analyze a .NET solution: follow our interactive tutorial for other CI's
- You want to analyze C and C++ code: rely on our SonarQube Cloud Scan for C and C++ and look at our sample C and C++ project
To provide feedback (requesting a feature or reporting a bug) please post on the SonarSource Community Forum with the tag sonarcloud.
The Dockerfile and associated scripts and documentation in this project are released under the LGPLv3 License.
Container images built with this project include third-party materials.