This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

If you're using a monorepo

This section explains how to manage the SonarQube analysis of GitHub projects related to a monorepo.

In a monorepo setup, multiple SonarQube projects, each corresponding to a separate project within the monorepo, are all bound to the same GitHub repository. If the Setting up the GitHub integration has been properly set up, then you can easily import the projects managed in a GitHub monorepo from the SonarQube UI and thus, benefit from the integration features, such as the pull request decoration.

The monorepo feature is supported starting in the Enterprise Edition.

Analysis setup roadmap

To manage the analysis of your projects in a monorepo:

  1. Create the SonarQube projects related to your monorepo by importing the GitHub monorepo: see Managing monorepo projects.

  2. Add the analysis to your GitHub Actions’ monorepo workflow: see below.

  3. You can fail a job inside the monorepo workflow when the quality gate fails and/or prevent pull request merges when the quality gate fails: see Adding analysis to GitHub Actions workflow.

Adding the analysis to your monorepo workflow

To add the SonarQube analysis to your GitHub Actions’ monorepo workflow:

  1. For each project in the monorepo, set the necessary analysis parameters: see Analysis parameters and the respective SonarScanner page (SonarScanner for Gradle, SonarScanner for .NET, SonarScanner for Maven, SonarScanner CLI) for more information. The mandatory parameter is the sonar.projectKey property.

  2. Set up the authentication to the SonarQube Server: see below.

  3. Add a workflow file (build.yml) in the home directory of the monorepo: see below.

Setting up the authentication to the SonarQube Server

You have to create the Sonar tokens used to authenticate to the SonarQube Server during the analysis of the monorepo projects and store them securely in GitHub secrets. You can either use one single global-level token for the monorepo or use a project-level token for each project in the monorepo.

Note that the Sonar Host URL must be stored in a GitHub secret as described in Creating your GitHub secrets in Adding analysis to GitHub Actions workflow.

Proceed as follows:

  1. Generate the Generating and using tokens(s) in SonarQube:

    • For project tokens, create a token for each project (you need the Administer permission on the project): Go to the Security page of your SonarQube account and create a Project analysis token.

    • For a global token, ask your administrator (The procedure is similar but you need the global Administer system permission.).

  2. In your GitHub repository, go to Settings > Secrets.

  3. Select New repository secret.

  4. In the Name field:

    • If you use a global token: enter SONAR_TOKEN.

    • Otherwise: enter SONAR_TOKEN_1 (or another unique identifier within the monorepo) for the token of your first project in the monorepo.

  5. In the Value field, enter the corresponding token value.

  6. Select Add secret.

  7. If you use project-level tokens, repeat steps 3 to 6 for each additional project in the monorepo.

Configuring the build.yml file

In the build.yml file of your monorepo:

  • Define the paths to the projects.

  • Add a job for each project in the monorepo.

See the file example below.

name: Build

on:
  push:
    branches:
      - master # main branch name
    paths:
      - 'PROJECT1_PATH/**' # monorepo projects paths from the monorepo root directory
      - 'PROJECT2_PATH/**'
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  sonarQubeScan1:
    name: sonarQubeScan1
    runs-on: ubuntu-latest
    
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Set up JDK 17
        uses: actions/setup-java@v1
        with:
          java-version: 17
      - name: Cache SonarQube packages
        uses: actions/cache@v1
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Maven packages
        uses: actions/cache@v1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      - name: SonarQube Scan 1
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_1 }}  # analysis token associated to your project
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        run: |
            cd PROJECT1_PATH/
            mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SONAR_PROJECT1_KEY -Dsonar.projectName='SONAR_PROJECT1_NAME' 
        # Replace variables with project path, key and name
  sonarQubeScan2:
    name: sonarQubeScan2
    runs-on: ubuntu-latest
    
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Set up JDK 17
        uses: actions/setup-java@v1
        with:
          java-version: 17
      - name: Cache SonarQube packages
        uses: actions/cache@v1
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Maven packages
        uses: actions/cache@v1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      - name: SonarQube Scan 2
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_2 }} # analysis token associated to your project
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        run: run: |
            cd PROJECT2_PATH/
            mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SONAR_PROJECT2_KEY -Dsonar.projectName='SONAR_PROJECT2_NAME'
        # Replace variables with project path, key and name
  # Add other scan jobs if you wish to scan more projects in the monorepo   

Last updated

Was this helpful?