Scan and analyze GitHub repository with SonarCloud
Important
With Automatic Analysis for .Net, certain rules for .Net source code are automatically deactivated. This includes security rules, all rules that come from outside the Sonar Way quality profile, as well as certain rules from within it.
Note
Automatic analysis is only supported for GitHub repositories. If you are using a different version control system, you will need to use a different method to analyze your code.
- Follow the docs under SonarCloud - Getting Started with GitHub to setup
SonarCloudwithGitHub- Sign up at SonarCloud
- Click
Import another organization - Select your personal GitHub account or the organization that contains the repository you want to scan
- When reaching the
Create your SonarCloud organizationpage adjust/update data and clickCreate organization - On
Analyze projectspage select the repository you want to scan and clickSet Up - On
Set up project for Clean as You Codepage select the desired code definition and clickCreate project
- After completing the setup, the repository will be scanned automatically and you will see the results on the
SonarClouddashboard
Important
Assumption: Automatic analysis is already set up for the repository
To set up CI-based analysis with GitHub actions follow the instructions (guided wizard) under https://sonarcloud.io/project/configuration/GitHubActions?id=SONAR_CLOUD_PROJECT_ID
Note
Replace SONAR_CLOUD_PROJECT_ID with the id of the SonarCloud project
To include i.e. terraform files in the analysis of SonarScanner for .NET, the following adjustments are required.
-
Extend the
dotnet-sonarscanner begincommand with project base dir argument/d:sonar.projectBaseDir="D:\a\GITHUB_PROJECT_NAME\GITHUB_PROJECT_NAME"whereGITHUB_PROJECT_NAMEis the name of the GitHub project -
Include the corresponding source files/folders in one of the projects
csprojfile<ItemGroup> <!-- This is required to include terraform files in SonarCloud analysis --> <Content Include="..\..\deploy\**\*.tf" Visible="false"> <CopyToOutputDirectory>Never</CopyToOutputDirectory> </Content> </ItemGroup>
For more details see here
To include test coverage in the analysis of SonarScanner for .NET, the following adjustments are required in the GitHub actions workflow (.github/workflows/quality.yml).
# Install dotnet-coverage
- name: Install dotnet-coverage
shell: powershell
run: |
dotnet tool install --global dotnet-coverage
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
shell: powershell
run: |
# Add /d:sonar.cs.vscoveragexml.reportsPaths=coverage.xml
.\.sonar\scanner\dotnet-sonarscanner begin /k:"rufer7_github-sonarcloud-integration" /o:"rufer7" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.projectBaseDir="D:\a\github-sonarcloud-integration\github-sonarcloud-integration" /d:sonar.cs.vscoveragexml.reportsPaths=coverage.xml
dotnet build .\src\ArbitrarySolution.sln --configuration Release
# Execute tests and collect coverage
dotnet-coverage collect 'dotnet test .\src\ArbitraryProject.Tests\ArbitraryProject.Tests.csproj' -f xml -o 'coverage.xml'
.\.sonar\scanner\dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"To include test coverage in the analysis of SonarScanner for .NET, the following adjustments are required in the
The scan results can be viewed on the SonarCloud dashboard
Security hotspots detected by SonarCloud can be viewed directly on the GitHub repository under Security tab in the Code scanning section
Example
Pull request analysis results can be found directly on the pull requests.
For an example, see here