How to Integrate SonarQube with GitHub Actions | Automate Code Scan using SonarQube in GitHub Action

Подписаться 20 тыс.

Просмотров 4,7 тыс.

50% 1

www.coachdevops.com/2024/02/h...
Pre-requisites:
Make sure SonarQube is up and running
Make sure Java Project is setup in GitHub
How to integrate SonarQube with GitHub Actions:
We will be following below steps:
Create Token in SonarQube to authenticate with GitHub Actions
Add Sonar Token, SonarQube URL as Secrets in GitHub Actions
Create GitHub Actions CICD workflow yaml
Add tasks for Maven build and Sonar Scan
Run the workflow in GitHub hosted runner(Ubuntu)
Verify scan report in SonarQube

Наука

Опубликовано:

15 фев 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 25

@liban2 4 месяца назад

Thank you! More DevSecOps videos please

@DevOpsCoach 4 месяца назад

Sure

@adithyak7630 4 месяца назад

Good work sir👍🏻👍🏻

@jasmiharidas758 Месяц назад

Hi, how to view code coverage on SonarQube interface? In this example, code coverage is mentioned as zero. so how to bring code coverage from zip file to interface?

@ppharini9170 3 месяца назад

Thanks for your response! But my question is, if we are analysing source code. Then we can include an analysis step before the maven clean install step right? In the pipeline, we are giving maven clean install, then sonar scan step.. Is that right? Does it mean, we are already converting the source code to deployable artifact na? Without sonar qube analysis?.. Which means.. We are already converting the source code to deployable artifact without sonar scan?

@DevOpsCoach 3 месяца назад

you can also use one goal like --> mvn clean install sonar:sonar which will do both build and analysis at the same time

@ppharini9170 4 месяца назад

I have one question.. will the sonar qube analyze the source code or compliled code or deployable artifact (war or jar)? In this vedio, sonar qube analysis is giving after maven clean install. So in this case, war file is built before the sonar qube analysis. So does it mean sonar is analysing the deployable artifact?

@DevOpsCoach 4 месяца назад

SonarQube does only static code analysis on source code only, not on build artifacts. Yes, WAR file is built using maven clean install but sonar:sonar goal will analyze source code only

@ppharini9170 3 месяца назад

@kumarmummina2979 2 месяца назад

sir, how to setup github app for this to run this action

@naren06938 3 месяца назад

Sir....here u mentioned manual trigger, but how can it automatically trigger by push in main branch?

@DevOpsCoach 3 месяца назад

docs.github.com/en/actions/using-workflows/manually-running-a-workflow

@barrientoscardenaslinofern4717 4 месяца назад

Hi Sir, one question is it free to use SonarQube in Github Actions or I need to have the developer edition(pay version) of SonarQube?

@DevOpsCoach 4 месяца назад

community edition is free to use with GitHub Actions

@liban2 4 месяца назад

Is it possible to fail workflow build if SonarQube finds vulnerabilities?

@DevOpsCoach 4 месяца назад

yes, absolutely. I just uploaded a new video to cover this scenario.. thank you for recommending. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-JocHmIZ9c_U.html

@KenAragorn 3 месяца назад

Hi, thanks for this details video. However, we encounter some issue when running the GitHub Actions as below: ERROR: Error during SonarScanner execution org.sonar.java.AnalysisException: Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property. We confirmed all the needed secrets keys and url has been provided in GitHub organization secrets (as we are using company Organization GitHub account), but it just showing the shared error - telling us it cannot proceed with the scanning due to this error. Can advise? Thanks.

@DevOpsCoach 3 месяца назад

try something like this - sonar.exclusions=src/java/test/**

@kumarmummina2979 2 месяца назад

hello sir, I forked your repo & tested but the action is failing.

@DevOpsCoach 2 месяца назад

what is the error? can you copy and paste the error here?

@kumarmummina2979 2 месяца назад

@@DevOpsCoach github action unable to fetch sonar token & sonar host url secret from github repo while hardcoding secrets action itself working fiine.

@kumarmummina2979 2 месяца назад

INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties INFO: Project root configuration file: NONE INFO: SonarScanner 5.0.1.3006 INFO: Java 17.0.10 Alpine (64-bit) INFO: Linux 6.5.0-1018-azure amd64 INFO: User cache: /opt/sonar-scanner/.sonar/cache INFO: Analyzing on SonarQube server 10.0.0.68432 INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent) INFO: Load global settings INFO: ------------------------------------------------------------------------ INFO: EXECUTION FAILURE INFO: ------------------------------------------------------------------------ INFO: Total time: 2.837s ERROR: Error during SonarScanner execution ERROR: Not authorized. Please check the properties sonar.login and sonar.password. ERROR: ERROR: Re-run SonarScanner using the -X switch to enable full debug logging. INFO: Final Memory: 6M/40M

@ppharini9170 3 месяца назад

Hi coach, Thanks for your response! But i guess you are not getting my question.. Here is my simple questions...could you please help me with the below questions. 1. Why do we need maven clean install step before including sonar qube analysis step in the github pipeline? 2. What sonar will analyze and give results. Will it analyze source code (.java) files or compiled code(.class files) or deployable artifact(jar/war)? 3. What mvn deloy sonar: sonar does? 4.Do we need any special access for creating a quality gate in sonar qube? 5.which is the best approach Executing all mvn commands in single line or executing all commands separately? Eg: Mvn clean compile test package Or Mvn clean Mvn compile Mvn test Mvn package Mvn install Man deploy

@DevOpsCoach 3 месяца назад

i understand what you are asking brother...yes mvn clean install will build and package. but sonar:sonar will scan the source code after github actions checkout..it has full access to the source code. login to sonarqube, click on projects, click on code tab.