How to Integrate SonarQube with GitHub Actions | Automate Code Scan using SonarQube in GitHub Action

Рет қаралды 12,212

Күн бұрын

www.coachdevop...
Pre-requisites:
Make sure SonarQube is up and running
Make sure Java Project is setup in GitHub
How to integrate SonarQube with GitHub Actions:
We will be following below steps:
Create Token in SonarQube to authenticate with GitHub Actions
Add Sonar Token, SonarQube URL as Secrets in GitHub Actions
Create GitHub Actions CICD workflow yaml
Add tasks for Maven build and Sonar Scan
Run the workflow in GitHub hosted runner(Ubuntu)
Verify scan report in SonarQube

Пікірлер: 29

@liban2 11 ай бұрын

Thank you! More DevSecOps videos please

@DevOpsCoach 11 ай бұрын

Sure

@nagababu3583 3 ай бұрын

Thanks for your information, This is very useful can you please do one more video for report automation for the same scanned projects.

@Aravinder34 11 ай бұрын

Good work sir👍🏻👍🏻

@DevOpsCoach 11 ай бұрын

Thank you, Keep watching! 👍

@CesarCarranza-n3w Ай бұрын

Hello how can I find the setting I need to set up for yaml file for different frameworks than java?

@jasmiharidas758 8 ай бұрын

Hi, how to view code coverage on SonarQube interface? In this example, code coverage is mentioned as zero. so how to bring code coverage from zip file to interface?

@ppharini9170 10 ай бұрын

Thanks for your response! But my question is, if we are analysing source code. Then we can include an analysis step before the maven clean install step right? In the pipeline, we are giving maven clean install, then sonar scan step.. Is that right? Does it mean, we are already converting the source code to deployable artifact na? Without sonar qube analysis?.. Which means.. We are already converting the source code to deployable artifact without sonar scan?

@DevOpsCoach 10 ай бұрын

you can also use one goal like --> mvn clean install sonar:sonar which will do both build and analysis at the same time

@rohannagar5263 4 ай бұрын

How can We exclude directories of our java project from the sonar scan? I have tried adding the code to exclude the directories and files in pom.xml file but it didn’t work.

@ppharini9170 10 ай бұрын

Hi coach, Thanks for your response! But i guess you are not getting my question.. Here is my simple questions...could you please help me with the below questions. 1. Why do we need maven clean install step before including sonar qube analysis step in the github pipeline? 2. What sonar will analyze and give results. Will it analyze source code (.java) files or compiled code(.class files) or deployable artifact(jar/war)? 3. What mvn deloy sonar: sonar does? 4.Do we need any special access for creating a quality gate in sonar qube? 5.which is the best approach Executing all mvn commands in single line or executing all commands separately? Eg: Mvn clean compile test package Or Mvn clean Mvn compile Mvn test Mvn package Mvn install Man deploy

@DevOpsCoach 10 ай бұрын

i understand what you are asking brother...yes mvn clean install will build and package. but sonar:sonar will scan the source code after github actions checkout..it has full access to the source code. login to sonarqube, click on projects, click on code tab.

@naren06938 10 ай бұрын

Sir....here u mentioned manual trigger, but how can it automatically trigger by push in main branch?

@DevOpsCoach 10 ай бұрын

docs.github.com/en/actions/using-workflows/manually-running-a-workflow

@ppharini9170 10 ай бұрын

I have one question.. will the sonar qube analyze the source code or compliled code or deployable artifact (war or jar)? In this vedio, sonar qube analysis is giving after maven clean install. So in this case, war file is built before the sonar qube analysis. So does it mean sonar is analysing the deployable artifact?

@DevOpsCoach 10 ай бұрын

SonarQube does only static code analysis on source code only, not on build artifacts. Yes, WAR file is built using maven clean install but sonar:sonar goal will analyze source code only

@ppharini9170 10 ай бұрын

@liban2 11 ай бұрын

Is it possible to fail workflow build if SonarQube finds vulnerabilities?

@DevOpsCoach 11 ай бұрын

yes, absolutely. I just uploaded a new video to cover this scenario.. thank you for recommending. kzbin.info/www/bejne/gKDGeaB_j56Wlbc

@barrientoscardenaslinofern4717 11 ай бұрын

Hi Sir, one question is it free to use SonarQube in Github Actions or I need to have the developer edition(pay version) of SonarQube?

@DevOpsCoach 11 ай бұрын

community edition is free to use with GitHub Actions

@kumarmummina2979 9 ай бұрын

sir, how to setup github app for this to run this action

@DevOpsCoach 2 ай бұрын

www.coachdevops.com/2019/05/setup-repo-and-create-java-project-in.html Refer the above link

@KenAragorn 10 ай бұрын

Hi, thanks for this details video. However, we encounter some issue when running the GitHub Actions as below: ERROR: Error during SonarScanner execution org.sonar.java.AnalysisException: Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property. We confirmed all the needed secrets keys and url has been provided in GitHub organization secrets (as we are using company Organization GitHub account), but it just showing the shared error - telling us it cannot proceed with the scanning due to this error. Can advise? Thanks.

@DevOpsCoach 10 ай бұрын

try something like this - sonar.exclusions=src/java/test/**

@kumarmummina2979 9 ай бұрын

hello sir, I forked your repo & tested but the action is failing.

@DevOpsCoach 9 ай бұрын

what is the error? can you copy and paste the error here?

@kumarmummina2979 9 ай бұрын

@@DevOpsCoach github action unable to fetch sonar token & sonar host url secret from github repo while hardcoding secrets action itself working fiine.

@kumarmummina2979 9 ай бұрын

INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties INFO: Project root configuration file: NONE INFO: SonarScanner 5.0.1.3006 INFO: Java 17.0.10 Alpine (64-bit) INFO: Linux 6.5.0-1018-azure amd64 INFO: User cache: /opt/sonar-scanner/.sonar/cache INFO: Analyzing on SonarQube server 10.0.0.68432 INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent) INFO: Load global settings INFO: ------------------------------------------------------------------------ INFO: EXECUTION FAILURE INFO: ------------------------------------------------------------------------ INFO: Total time: 2.837s ERROR: Error during SonarScanner execution ERROR: Not authorized. Please check the properties sonar.login and sonar.password. ERROR: ERROR: Re-run SonarScanner using the -X switch to enable full debug logging. INFO: Final Memory: 6M/40M