How to Integrate SonarQube with GitHub Actions | Automate Code Scan using SonarQube in GitHub Action

Рет қаралды 10,352

DevOps Coach

Күн бұрын

Пікірлер

@liban2 9 ай бұрын

Thank you! More DevSecOps videos please

@DevOpsCoach 9 ай бұрын

Sure

@nagababu3583 2 ай бұрын

Thanks for your information, This is very useful can you please do one more video for report automation for the same scanned projects.

@Aravinder34 10 ай бұрын

Good work sir👍🏻👍🏻

@DevOpsCoach 10 ай бұрын

Thank you, Keep watching! 👍

@rohannagar5263 2 ай бұрын

How can We exclude directories of our java project from the sonar scan? I have tried adding the code to exclude the directories and files in pom.xml file but it didn’t work.

@jasmiharidas758 6 ай бұрын

Hi, how to view code coverage on SonarQube interface? In this example, code coverage is mentioned as zero. so how to bring code coverage from zip file to interface?

@liban2 9 ай бұрын

Is it possible to fail workflow build if SonarQube finds vulnerabilities?

@DevOpsCoach 9 ай бұрын

yes, absolutely. I just uploaded a new video to cover this scenario.. thank you for recommending. kzbin.info/www/bejne/gKDGeaB_j56Wlbc

@barrientoscardenaslinofern4717 9 ай бұрын

Hi Sir, one question is it free to use SonarQube in Github Actions or I need to have the developer edition(pay version) of SonarQube?

@DevOpsCoach 9 ай бұрын

community edition is free to use with GitHub Actions

@ppharini9170 9 ай бұрын

Thanks for your response! But my question is, if we are analysing source code. Then we can include an analysis step before the maven clean install step right? In the pipeline, we are giving maven clean install, then sonar scan step.. Is that right? Does it mean, we are already converting the source code to deployable artifact na? Without sonar qube analysis?.. Which means.. We are already converting the source code to deployable artifact without sonar scan?

@DevOpsCoach 9 ай бұрын

you can also use one goal like --> mvn clean install sonar:sonar which will do both build and analysis at the same time

@naren06938 8 ай бұрын

Sir....here u mentioned manual trigger, but how can it automatically trigger by push in main branch?

@DevOpsCoach 8 ай бұрын

docs.github.com/en/actions/using-workflows/manually-running-a-workflow

@ppharini9170 9 ай бұрын

I have one question.. will the sonar qube analyze the source code or compliled code or deployable artifact (war or jar)? In this vedio, sonar qube analysis is giving after maven clean install. So in this case, war file is built before the sonar qube analysis. So does it mean sonar is analysing the deployable artifact?

@DevOpsCoach 9 ай бұрын

SonarQube does only static code analysis on source code only, not on build artifacts. Yes, WAR file is built using maven clean install but sonar:sonar goal will analyze source code only

@ppharini9170 9 ай бұрын

@KenAragorn 8 ай бұрын

Hi, thanks for this details video. However, we encounter some issue when running the GitHub Actions as below: ERROR: Error during SonarScanner execution org.sonar.java.AnalysisException: Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property. We confirmed all the needed secrets keys and url has been provided in GitHub organization secrets (as we are using company Organization GitHub account), but it just showing the shared error - telling us it cannot proceed with the scanning due to this error. Can advise? Thanks.

@DevOpsCoach 8 ай бұрын

try something like this - sonar.exclusions=src/java/test/**

@kumarmummina2979 7 ай бұрын

sir, how to setup github app for this to run this action

@DevOpsCoach 28 күн бұрын

www.coachdevops.com/2019/05/setup-repo-and-create-java-project-in.html Refer the above link

@kumarmummina2979 7 ай бұрын

hello sir, I forked your repo & tested but the action is failing.

@DevOpsCoach 7 ай бұрын

what is the error? can you copy and paste the error here?

@kumarmummina2979 7 ай бұрын

@@DevOpsCoach github action unable to fetch sonar token & sonar host url secret from github repo while hardcoding secrets action itself working fiine.

@kumarmummina2979 7 ай бұрын

INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties INFO: Project root configuration file: NONE INFO: SonarScanner 5.0.1.3006 INFO: Java 17.0.10 Alpine (64-bit) INFO: Linux 6.5.0-1018-azure amd64 INFO: User cache: /opt/sonar-scanner/.sonar/cache INFO: Analyzing on SonarQube server 10.0.0.68432 INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent) INFO: Load global settings INFO: ------------------------------------------------------------------------ INFO: EXECUTION FAILURE INFO: ------------------------------------------------------------------------ INFO: Total time: 2.837s ERROR: Error during SonarScanner execution ERROR: Not authorized. Please check the properties sonar.login and sonar.password. ERROR: ERROR: Re-run SonarScanner using the -X switch to enable full debug logging. INFO: Final Memory: 6M/40M

@ppharini9170 9 ай бұрын

Hi coach, Thanks for your response! But i guess you are not getting my question.. Here is my simple questions...could you please help me with the below questions. 1. Why do we need maven clean install step before including sonar qube analysis step in the github pipeline? 2. What sonar will analyze and give results. Will it analyze source code (.java) files or compiled code(.class files) or deployable artifact(jar/war)? 3. What mvn deloy sonar: sonar does? 4.Do we need any special access for creating a quality gate in sonar qube? 5.which is the best approach Executing all mvn commands in single line or executing all commands separately? Eg: Mvn clean compile test package Or Mvn clean Mvn compile Mvn test Mvn package Mvn install Man deploy

@DevOpsCoach 9 ай бұрын

i understand what you are asking brother...yes mvn clean install will build and package. but sonar:sonar will scan the source code after github actions checkout..it has full access to the source code. login to sonarqube, click on projects, click on code tab.