Scan and analyze GitHub repository with SonarQube Cloud

Setup

Automatic Analysis

1. Follow the docs under SonarQube Cloud - Getting Started with GitHub to setup SonarQube Cloud with GitHub
   1. Sign up at SonarQube Cloud
   2. Click Import another organization
   3. Select your personal GitHub account or the organization that contains the repository you want to scan
   4. When reaching the Create your SonarQube Cloud organization page adjust/update data and click Create organization
   5. On Analyze projects page select the repository you want to scan and click Set Up
   6. On Set up project for Clean as You Code page select the desired code definition and click Create project
2. After completing the setup, the repository will be scanned automatically and you will see the results on the SonarQube Cloud dashboard

CI-based analysis

To set up CI-based analysis with GitHub actions ...

• ... either follow the instructions (guided wizard) under https://sonarcloud.io/project/analysis_method?id=SONAR_CLOUD_PROJECT_ID
• ... or use the official sonarqube-scan-action

Include languages other than C#

To include i.e. terraform files in the analysis of SonarScanner for .NET, the following adjustments are required.

1. Extend the dotnet-sonarscanner begin command with project base dir argument /d:sonar.projectBaseDir="D:\a\GITHUB_PROJECT_NAME\GITHUB_PROJECT_NAME" where GITHUB_PROJECT_NAME is the name of the GitHub project

2. Include the corresponding source files/folders in one of the projects csproj file

   <ItemGroup>
      <!-- This is required to include terraform files in SonarQube Cloud analysis -->
      <Content Include="..\..\deploy\**\*.tf" Visible="false">
         <CopyToOutputDirectory>Never</CopyToOutputDirectory>
      </Content>
   </ItemGroup>

   For more details see here

Include .NET test coverage

To include .NET test coverage in the analysis of SonarScanner for .NET, the following adjustments are required in the GitHub actions workflow (see .github\workflows\quality.yml).

# Install dotnet-coverage
- name: Install dotnet-coverage
  shell: pwsh
  run: |
    dotnet tool install --global dotnet-coverage
- name: Build and analyze
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  shell: pwsh
  run: |
    $ErrorActionPreference = "Stop"
    $PSNativeCommandUseErrorActionPreference = $true
  # Add /d:sonar.cs.vscoveragexml.reportsPaths=coverage.xml
    ${{ runner.temp }}\scanner\dotnet-sonarscanner begin /k:"rufer7_github-sonarcloud-integration" /o:"rufer7" /d:sonar.token="$env:SONAR_TOKEN" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.projectBaseDir="D:\a\github-sonarcloud-integration\github-sonarcloud-integration" /d:sonar.cs.vscoveragexml.reportsPaths=coverage.xml /d:sonar.terraform.provider.azure.version=3.100.0
    dotnet build .\src\ArbitrarySolution.sln --configuration Release
  # Execute tests and collect coverage
    dotnet-coverage collect 'dotnet test .\src\ArbitraryProject.Tests\ArbitraryProject.Tests.csproj' -f xml -o 'coverage.xml'
    ${{ runner.temp }}\scanner\dotnet-sonarscanner end /d:sonar.token="$env:SONAR_TOKEN"

Scan Results

SonarQube Cloud

The scan results can be viewed on the SonarQube Cloud dashboard

GitHub

Security hotspots detected by SonarQube Cloud can be viewed directly on the GitHub repository under Security tab in the Code scanning section

Example

Pull Request (GitHub)

Pull request analysis results can be found directly on the pull requests.

For an example, see here

Useful Links

• SonarQube Cloud - Getting Started with GitHub
• Pull request analysis
• .NET test coverage
• Github action should fail on authentication error
• Analysis of product projects vs. test projects
• Parameters not settable in the UI