Specific to GitHub Actions is the setting of sonar.token and sonar.host.url: With GitHub Actions, you can configure these parameters through GitHub secrets. This may be done at the global level by the global System Administrator, or at the project level by the Project Administrator as explained below (It makes sense to store the server URL at the global level.).
In addition, starting from the Developer Edition, SonarScanners running in GitHub Actions can automatically detect branches and pull requests being built so you don't need to specifically pass them as parameters to the scanner.
The parameters used in GitHub Actions workflows to connect to the SonarQube Community Build (Server URL and token) should be securely stored in GitHub secrets: see GitHub's documentation on Encrypted secrets for more information.
To store the authentication token at the project level:
In the SonarQube Community Build UI, generate a SonarQube Community Build token for your project.
Create a repository secret in GitHub with:
Name: SONAR_TOKEN
Value: the token you generated in the previous step.
To store the SonarQube Community Build URL at the project level:
This section shows you how to configure your .github/workflows/build.yml file.
Set up your workflow according to your SonarQube Community Build edition:
SonarQube Community Build: The SonarQube Community Build doesn't support multiple branches, so you should only analyze your main branch. You can restrict analysis to your main branch by setting it as the only branch in your on.push.branches configuration in your workflow YAML file, and not using on.pull_request.
SonarQube Community Build Developer Edition and above: GitHub Actions can build specific branches and pull requests if you use on.push.branches and on.pull-requests configurations as shown in the examples below.
Click the scanner you're using below to expand the example configuration:
The errors “Missing blame information…” and “Could not find ref…” can be caused by checking out with a partial or shallow clone, or when using Git submodules. You should disable git shallow clone to make sure the scanner has access to all of your history when running analysis with GitHub Actions.
Note: A project key might have to be provided through a build.gradle file, or through the command line parameter. For more information, see the SonarScanner for Gradle documentation.
Add the following to your build.gradle file:
Write the following in your workflow YAML file:
SonarScanner for Maven
Note: A project key might have to be provided through the command line parameter. For more information, see the SonarScanner for Maven documentation.
Write the following in your workflow YAML file:
SonarScanner for .NET
Write the following in your workflow YAML file:
SonarScanner CLI
You can easily set up a basic configuration using the SonarQube Scan GitHub Actions:
If you do not want to use the SonarQube Community Build quality gate Check Action, you can instruct the scanner to wait for the SonarQube Community Build quality gate status at the end of the analysis. To enable this, pass the -Dsonar.qualitygate.wait=true parameter to the scanner in the workflow YAML file.
This will make the analysis step poll SonarQube Community Build regularly until the quality gate is computed. This will increase your workflow duration. Note that, if the quality gate is red, this will make the analysis step fail, even if the actual analysis itself is successful. We advise only using this parameter when necessary (for example, to block a deployment workflow if the quality gate is red). It should not be used to report the quality gate status in a pull request, as this is already done with pull request decoration.
You can set the sonar.qualitygate.timeout property to an amount of time (in seconds) that the scanner should wait for a report to be processed. The default is 300 seconds.
For each project in the monorepo, set the analysis parameters: See Configuring the project analysis parameters above. Specific to the monorepo set up is the setting of the sonar.token property explained below.
You must create the Sonar tokens used to authenticate to the SonarQube Community Build during the analysis of the monorepo projects and store them securely in GitHub secrets. You can either use one single global-level token for the monorepo or a project-level token for each project in the monorepo.
Proceed as follows:
Generate the token(s) in SonarQube Community Build:
For project tokens, create a token for each project (you need the Administer permission on the project): Go to the Security page of your SonarQube Community Build account and create a Project analysis token.
For a global token, ask your administrator (The procedure is similar but you need the global Administer system permission.).
In your GitHub repository, go to Settings > Secrets.
Select New repository secret.
In the Name field:
If you use a global token: enter SONAR_TOKEN.
Otherwise: enter SONAR_TOKEN_1 (or another unique identifier within the monorepo) for the token of your first project in the monorepo.
In the Value field, enter the corresponding token value.
Select Add secret.
If you use project-level tokens, repeat steps 3 to 6 for each additional project in the monorepo.
You can fail a job inside the monorepo workflow when the quality gate fails and/or prevent pull request merges when the quality gate fails: see Failing the workflow when the quality gate fails above.
If you use the sonarqube-scan-action for your GitHub Action and your SonarQube Community Build has root certificates that need to be recognized by the GitHub runner, you'll need to set the SONAR_ROOT_CERT environment variable in GitHub (See Managing the TLS certificates on the client side).