SONAR-14822 Provide a GitHub Action to scan a project
This commit is contained in:
parent
1ef5bf722a
commit
71de302835
|
@ -0,0 +1,2 @@
|
||||||
|
.idea
|
||||||
|
.DS_Store
|
|
@ -0,0 +1,20 @@
|
||||||
|
FROM sonarsource/sonar-scanner-cli:4.6
|
||||||
|
|
||||||
|
LABEL version="1.0.0" \
|
||||||
|
repository="https://github.com/sonarsource/sonarqube-scan-action" \
|
||||||
|
homepage="https://github.com/sonarsource/sonarqube-scan-action" \
|
||||||
|
maintainer="SonarSource" \
|
||||||
|
com.github.actions.name="SonarQube Scan" \
|
||||||
|
com.github.actions.description="Scan your code with SonarQube to detect Bugs, Vulnerabilities and Code Smells in more than 27 programming languages!" \
|
||||||
|
com.github.actions.icon="check" \
|
||||||
|
com.github.actions.color="green"
|
||||||
|
|
||||||
|
# Set up local envs in order to allow for special chars (non-asci) in filenames.
|
||||||
|
ENV LC_ALL="C.UTF-8"
|
||||||
|
|
||||||
|
# https://help.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
|
||||||
|
USER root
|
||||||
|
|
||||||
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
|
RUN chmod +x /entrypoint.sh
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
|
@ -0,0 +1,165 @@
|
||||||
|
GNU LESSER GENERAL PUBLIC LICENSE
|
||||||
|
Version 3, 29 June 2007
|
||||||
|
|
||||||
|
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
|
||||||
|
This version of the GNU Lesser General Public License incorporates
|
||||||
|
the terms and conditions of version 3 of the GNU General Public
|
||||||
|
License, supplemented by the additional permissions listed below.
|
||||||
|
|
||||||
|
0. Additional Definitions.
|
||||||
|
|
||||||
|
As used herein, "this License" refers to version 3 of the GNU Lesser
|
||||||
|
General Public License, and the "GNU GPL" refers to version 3 of the GNU
|
||||||
|
General Public License.
|
||||||
|
|
||||||
|
"The Library" refers to a covered work governed by this License,
|
||||||
|
other than an Application or a Combined Work as defined below.
|
||||||
|
|
||||||
|
An "Application" is any work that makes use of an interface provided
|
||||||
|
by the Library, but which is not otherwise based on the Library.
|
||||||
|
Defining a subclass of a class defined by the Library is deemed a mode
|
||||||
|
of using an interface provided by the Library.
|
||||||
|
|
||||||
|
A "Combined Work" is a work produced by combining or linking an
|
||||||
|
Application with the Library. The particular version of the Library
|
||||||
|
with which the Combined Work was made is also called the "Linked
|
||||||
|
Version".
|
||||||
|
|
||||||
|
The "Minimal Corresponding Source" for a Combined Work means the
|
||||||
|
Corresponding Source for the Combined Work, excluding any source code
|
||||||
|
for portions of the Combined Work that, considered in isolation, are
|
||||||
|
based on the Application, and not on the Linked Version.
|
||||||
|
|
||||||
|
The "Corresponding Application Code" for a Combined Work means the
|
||||||
|
object code and/or source code for the Application, including any data
|
||||||
|
and utility programs needed for reproducing the Combined Work from the
|
||||||
|
Application, but excluding the System Libraries of the Combined Work.
|
||||||
|
|
||||||
|
1. Exception to Section 3 of the GNU GPL.
|
||||||
|
|
||||||
|
You may convey a covered work under sections 3 and 4 of this License
|
||||||
|
without being bound by section 3 of the GNU GPL.
|
||||||
|
|
||||||
|
2. Conveying Modified Versions.
|
||||||
|
|
||||||
|
If you modify a copy of the Library, and, in your modifications, a
|
||||||
|
facility refers to a function or data to be supplied by an Application
|
||||||
|
that uses the facility (other than as an argument passed when the
|
||||||
|
facility is invoked), then you may convey a copy of the modified
|
||||||
|
version:
|
||||||
|
|
||||||
|
a) under this License, provided that you make a good faith effort to
|
||||||
|
ensure that, in the event an Application does not supply the
|
||||||
|
function or data, the facility still operates, and performs
|
||||||
|
whatever part of its purpose remains meaningful, or
|
||||||
|
|
||||||
|
b) under the GNU GPL, with none of the additional permissions of
|
||||||
|
this License applicable to that copy.
|
||||||
|
|
||||||
|
3. Object Code Incorporating Material from Library Header Files.
|
||||||
|
|
||||||
|
The object code form of an Application may incorporate material from
|
||||||
|
a header file that is part of the Library. You may convey such object
|
||||||
|
code under terms of your choice, provided that, if the incorporated
|
||||||
|
material is not limited to numerical parameters, data structure
|
||||||
|
layouts and accessors, or small macros, inline functions and templates
|
||||||
|
(ten or fewer lines in length), you do both of the following:
|
||||||
|
|
||||||
|
a) Give prominent notice with each copy of the object code that the
|
||||||
|
Library is used in it and that the Library and its use are
|
||||||
|
covered by this License.
|
||||||
|
|
||||||
|
b) Accompany the object code with a copy of the GNU GPL and this license
|
||||||
|
document.
|
||||||
|
|
||||||
|
4. Combined Works.
|
||||||
|
|
||||||
|
You may convey a Combined Work under terms of your choice that,
|
||||||
|
taken together, effectively do not restrict modification of the
|
||||||
|
portions of the Library contained in the Combined Work and reverse
|
||||||
|
engineering for debugging such modifications, if you also do each of
|
||||||
|
the following:
|
||||||
|
|
||||||
|
a) Give prominent notice with each copy of the Combined Work that
|
||||||
|
the Library is used in it and that the Library and its use are
|
||||||
|
covered by this License.
|
||||||
|
|
||||||
|
b) Accompany the Combined Work with a copy of the GNU GPL and this license
|
||||||
|
document.
|
||||||
|
|
||||||
|
c) For a Combined Work that displays copyright notices during
|
||||||
|
execution, include the copyright notice for the Library among
|
||||||
|
these notices, as well as a reference directing the user to the
|
||||||
|
copies of the GNU GPL and this license document.
|
||||||
|
|
||||||
|
d) Do one of the following:
|
||||||
|
|
||||||
|
0) Convey the Minimal Corresponding Source under the terms of this
|
||||||
|
License, and the Corresponding Application Code in a form
|
||||||
|
suitable for, and under terms that permit, the user to
|
||||||
|
recombine or relink the Application with a modified version of
|
||||||
|
the Linked Version to produce a modified Combined Work, in the
|
||||||
|
manner specified by section 6 of the GNU GPL for conveying
|
||||||
|
Corresponding Source.
|
||||||
|
|
||||||
|
1) Use a suitable shared library mechanism for linking with the
|
||||||
|
Library. A suitable mechanism is one that (a) uses at run time
|
||||||
|
a copy of the Library already present on the user's computer
|
||||||
|
system, and (b) will operate properly with a modified version
|
||||||
|
of the Library that is interface-compatible with the Linked
|
||||||
|
Version.
|
||||||
|
|
||||||
|
e) Provide Installation Information, but only if you would otherwise
|
||||||
|
be required to provide such information under section 6 of the
|
||||||
|
GNU GPL, and only to the extent that such information is
|
||||||
|
necessary to install and execute a modified version of the
|
||||||
|
Combined Work produced by recombining or relinking the
|
||||||
|
Application with a modified version of the Linked Version. (If
|
||||||
|
you use option 4d0, the Installation Information must accompany
|
||||||
|
the Minimal Corresponding Source and Corresponding Application
|
||||||
|
Code. If you use option 4d1, you must provide the Installation
|
||||||
|
Information in the manner specified by section 6 of the GNU GPL
|
||||||
|
for conveying Corresponding Source.)
|
||||||
|
|
||||||
|
5. Combined Libraries.
|
||||||
|
|
||||||
|
You may place library facilities that are a work based on the
|
||||||
|
Library side by side in a single library together with other library
|
||||||
|
facilities that are not Applications and are not covered by this
|
||||||
|
License, and convey such a combined library under terms of your
|
||||||
|
choice, if you do both of the following:
|
||||||
|
|
||||||
|
a) Accompany the combined library with a copy of the same work based
|
||||||
|
on the Library, uncombined with any other library facilities,
|
||||||
|
conveyed under the terms of this License.
|
||||||
|
|
||||||
|
b) Give prominent notice with the combined library that part of it
|
||||||
|
is a work based on the Library, and explaining where to find the
|
||||||
|
accompanying uncombined form of the same work.
|
||||||
|
|
||||||
|
6. Revised Versions of the GNU Lesser General Public License.
|
||||||
|
|
||||||
|
The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the GNU Lesser General Public License from time to time. Such new
|
||||||
|
versions will be similar in spirit to the present version, but may
|
||||||
|
differ in detail to address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the
|
||||||
|
Library as you received it specifies that a certain numbered version
|
||||||
|
of the GNU Lesser General Public License "or any later version"
|
||||||
|
applies to it, you have the option of following the terms and
|
||||||
|
conditions either of that published version or of any later version
|
||||||
|
published by the Free Software Foundation. If the Library as you
|
||||||
|
received it does not specify a version number of the GNU Lesser
|
||||||
|
General Public License, you may choose any version of the GNU Lesser
|
||||||
|
General Public License ever published by the Free Software Foundation.
|
||||||
|
|
||||||
|
If the Library as you received it specifies that a proxy can decide
|
||||||
|
whether future versions of the GNU Lesser General Public License shall
|
||||||
|
apply, that proxy's public statement of acceptance of any version is
|
||||||
|
permanent authorization for you to choose that version for the
|
||||||
|
Library.
|
103
README.md
103
README.md
|
@ -1 +1,102 @@
|
||||||
# sonarqube-scan-action
|
# Scan your code with SonarQube
|
||||||
|
|
||||||
|
Using this GitHub Action, scan your code with [SonarQube](https://www.sonarqube.org/) to detects Bugs, Vulnerabilities and Code Smells in more than 27 programming languages!
|
||||||
|
|
||||||
|
<img src="./images/SonarQube-72px.png">
|
||||||
|
|
||||||
|
SonarQube is the leading product for Continuous Code Quality & Code Security. It supports most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and many more.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
The repository to analyze is set up on SonarQube.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Project metadata, including the location to the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory:
|
||||||
|
|
||||||
|
```properties
|
||||||
|
sonar.projectKey=<replace with the key generated when setting up the project on SonarQube>
|
||||||
|
|
||||||
|
# relative paths to source directories. More details and properties are described
|
||||||
|
# in https://docs.sonarqube.org/latest/project-administration/narrowing-the-focus/
|
||||||
|
sonar.sources=.
|
||||||
|
```
|
||||||
|
|
||||||
|
The workflow, usually declared in `.github/workflows/build.yml`, looks like:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
on:
|
||||||
|
# Trigger analysis when pushing in master or pull requests, and when creating
|
||||||
|
# a pull request.
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
pull_request:
|
||||||
|
types: [opened, synchronize, reopened]
|
||||||
|
name: Main Workflow
|
||||||
|
jobs:
|
||||||
|
sonarqube:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
with:
|
||||||
|
# Disabling shallow clone is recommended for improving relevancy of reporting
|
||||||
|
fetch-depth: 0
|
||||||
|
- name: SonarQube Scan
|
||||||
|
uses: sonarsource/sonarqube-scan-action@master
|
||||||
|
env:
|
||||||
|
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||||
|
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
||||||
|
```
|
||||||
|
|
||||||
|
You can change the analysis base directory by using the optional input `projectBaseDir` like this:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
uses: sonarsource/sonarqube-scan-action@master
|
||||||
|
with:
|
||||||
|
projectBaseDir: app/src
|
||||||
|
```
|
||||||
|
|
||||||
|
In case you need to add additional analysis parameters, you can use the `args` option:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
- name: Analyze with SonarQube
|
||||||
|
uses: sonarsource/sonarqube-scan-action@master
|
||||||
|
with:
|
||||||
|
projectBaseDir: app/src
|
||||||
|
args: >
|
||||||
|
-Dsonar.projectKey=my-projectkey
|
||||||
|
-Dsonar.python.coverage.reportPaths=coverage.xml
|
||||||
|
-Dsonar.sources=lib/
|
||||||
|
-Dsonar.test.exclusions=tests/**
|
||||||
|
-Dsonar.tests=tests/
|
||||||
|
-Dsonar.verbose=true
|
||||||
|
```
|
||||||
|
|
||||||
|
More information about possible analysis parameters can be found in [the documentation](https://docs.sonarqube.org/latest/analysis/analysis-parameters/).
|
||||||
|
|
||||||
|
### Environment variables
|
||||||
|
|
||||||
|
- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens [here](https://docs.sonarqube.org/latest/user-guide/user-token/). You should set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository.
|
||||||
|
- `SONAR_HOST_URL` – **Required** this tells the scanner where SonarQube is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Secrets" settings page of your repository.
|
||||||
|
|
||||||
|
## Example of pull request analysis
|
||||||
|
|
||||||
|
<img src="./images/SonarQube-analysis-in-Checks.png">
|
||||||
|
|
||||||
|
## Do not use this GitHub action if you are in the following situations
|
||||||
|
|
||||||
|
* Your code is built with Maven. Read the documentation about our [Scanner for Maven](https://redirect.sonarsource.com/doc/install-configure-scanner-maven.html).
|
||||||
|
* Your code is built with Gradle. Read the documentation about our [Scanner for Gradle](https://redirect.sonarsource.com/doc/gradle.html).
|
||||||
|
* You want to analyze a .NET solution. Read the documentation about our [Scanner for .NET](https://redirect.sonarsource.com/doc/install-configure-scanner-msbuild.html).
|
||||||
|
* You want to analyze C/C++ code. Read the documentation on [analyzing C/C++ code](https://docs.sonarqube.org/latest/analysis/languages/cfamily/).
|
||||||
|
|
||||||
|
## Have question or feedback?
|
||||||
|
|
||||||
|
To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sq/github-actions).
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
The Dockerfile and associated scripts and documentation in this project are released under the LGPLv3 License.
|
||||||
|
|
||||||
|
Container images built with this project include third party materials.
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
name: SonarQube Scan
|
||||||
|
description: >
|
||||||
|
Scan your code with SonarQube to detect Bugs, Vulnerabilities and Code Smells in more than 27 programming languages!
|
||||||
|
branding:
|
||||||
|
icon: check
|
||||||
|
color: green
|
||||||
|
runs:
|
||||||
|
using: docker
|
||||||
|
image: Dockerfile
|
||||||
|
inputs:
|
||||||
|
args:
|
||||||
|
description: Additional arguments to the sonar-scanner
|
||||||
|
required: false
|
||||||
|
projectBaseDir:
|
||||||
|
description: Set the sonar.projectBaseDir analysis property
|
||||||
|
required: false
|
||||||
|
default: .
|
|
@ -0,0 +1,27 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
if [[ -z "${SONAR_TOKEN}" ]]; then
|
||||||
|
echo "This GitHub Action requires the SONAR_TOKEN env variable."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -z "${SONAR_HOST_URL}" ]]; then
|
||||||
|
echo "This GitHub Action requires the SONAR_HOST_URL env variable."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -f "${INPUT_PROJECTBASEDIR%/}pom.xml" ]]; then
|
||||||
|
echo "Maven project detected. You should run the goal 'org.sonarsource.scanner.maven:sonar' during build rather than using this GitHub Action."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -f "${INPUT_PROJECTBASEDIR%/}build.gradle" ]]; then
|
||||||
|
echo "Gradle project detected. You should use the SonarQube plugin for Gradle during build rather than using this GitHub Action."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset JAVA_HOME
|
||||||
|
|
||||||
|
sonar-scanner -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} ${INPUT_ARGS}
|
Binary file not shown.
After Width: | Height: | Size: 9.7 KiB |
Binary file not shown.
After Width: | Height: | Size: 222 KiB |
Loading…
Reference in New Issue