If you're using a monorepo
This section explains how to manage the SonarQube analysis of GitHub projects related to a monorepo.
In a monorepo setup, multiple SonarQube projects, each corresponding to a separate project within the monorepo, are all bound to the same GitHub repository. If the Setting up the GitHub integration has been properly set up, then you can easily import the projects managed in a GitHub monorepo from the SonarQube UI and thus, benefit from the integration features, such as the pull request decoration.
The monorepo feature is supported starting in the Enterprise Edition.
Analysis setup roadmap
To manage the analysis of your projects in a monorepo:
Create the SonarQube projects related to your monorepo by importing the GitHub monorepo: see Managing monorepo projects.
Add the analysis to your GitHub Actions’ monorepo workflow: see below.
You can fail a job inside the monorepo workflow when the quality gate fails and/or prevent pull request merges when the quality gate fails: see Adding analysis to GitHub Actions workflow.
Adding the analysis to your monorepo workflow
To add the SonarQube analysis to your GitHub Actions’ monorepo workflow:
For each project in the monorepo, set the necessary analysis parameters: see Analysis parameters and the respective SonarScanner page (SonarScanner for Gradle, SonarScanner for .NET, SonarScanner for Maven, SonarScanner CLI) for more information. The mandatory parameter is the
sonar.projectKey
property.Set up the authentication to the SonarQube Server: see below.
Add a workflow file (
build.yml
) in the home directory of the monorepo: see below.
Setting up the authentication to the SonarQube Server
You have to create the Sonar tokens used to authenticate to the SonarQube Server during the analysis of the monorepo projects and store them securely in GitHub secrets. You can either use one single global-level token for the monorepo or use a project-level token for each project in the monorepo.
Note that the Sonar Host URL must be stored in a GitHub secret as described in Creating your GitHub secrets in Adding analysis to GitHub Actions workflow.
Proceed as follows:
Generate the Generating and using tokens(s) in SonarQube:
For project tokens, create a token for each project (you need the Administer permission on the project): Go to the Security page of your SonarQube account and create a Project analysis token.
For a global token, ask your administrator (The procedure is similar but you need the global Administer system permission.).
In your GitHub repository, go to Settings > Secrets.
Select New repository secret.
In the Name field:
If you use a global token: enter SONAR_TOKEN.
Otherwise: enter SONAR_TOKEN_1 (or another unique identifier within the monorepo) for the token of your first project in the monorepo.
In the Value field, enter the corresponding token value.
Select Add secret.
If you use project-level tokens, repeat steps 3 to 6 for each additional project in the monorepo.
Configuring the build.yml file
In the build.yml
file of your monorepo:
Define the paths to the projects.
Add a job for each project in the monorepo.
See the file example below.
name: Build
on:
push:
branches:
- master # main branch name
paths:
- 'PROJECT1_PATH/**' # monorepo projects paths from the monorepo root directory
- 'PROJECT2_PATH/**'
pull_request:
types: [opened, synchronize, reopened]
jobs:
sonarQubeScan1:
name: sonarQubeScan1
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 17
uses: actions/setup-java@v1
with:
java-version: 17
- name: Cache SonarQube packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: SonarQube Scan 1
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_1 }} # analysis token associated to your project
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
run: |
cd PROJECT1_PATH/
mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SONAR_PROJECT1_KEY -Dsonar.projectName='SONAR_PROJECT1_NAME'
# Replace variables with project path, key and name
sonarQubeScan2:
name: sonarQubeScan2
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 17
uses: actions/setup-java@v1
with:
java-version: 17
- name: Cache SonarQube packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: SonarQube Scan 2
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_2 }} # analysis token associated to your project
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
run: run: |
cd PROJECT2_PATH/
mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SONAR_PROJECT2_KEY -Dsonar.projectName='SONAR_PROJECT2_NAME'
# Replace variables with project path, key and name
# Add other scan jobs if you wish to scan more projects in the monorepo
Last updated
Was this helpful?