Using this GitHub Action, scan your code with SonarQube to detects bugs, vulnerabilities and code smells.
- Have an SonarQube server.
Project metadata, including the location to the sources to be analyzed, must be declared in the file sonar-project.properties
in the base directory:
sonar.projectKey=myawesomeproject
sonar.sources=.
The workflow, usually declared in .github/workflows/build.yml
, looks like:
on: push
name: Main Workflow
jobs:
sonarQubeTrigger:
name: SonarQube Trigger
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: SonarQube Scan
uses: advancedcsg-open/action-ccq@master
env:
SONARQUBE_URL: 'https://mysonar.url'
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_TOKEN
– Required this is the token used to authenticate access to SonarCloud. You can set theSONAR_TOKEN
environment variable in the "Secrets" settings page of your repository.
- Your code is built with Maven: run 'org.sonarsource.scanner.maven:sonar' during the build
- Your code is built with Gradle: use the SonarQube plugin for Gradle during the build
- You want to analyze a .NET solution