How to Integrate SonarQube with GitHub Actions | Automate Code Scan using SonarQube in GitHub Action

Показать описание

Pre-requisites:
Make sure SonarQube is up and running
Make sure Java Project is setup in GitHub

How to integrate SonarQube with GitHub Actions:
We will be following below steps:
Create Token in SonarQube to authenticate with GitHub Actions
Add Sonar Token, SonarQube URL as Secrets in GitHub Actions
Create GitHub Actions CICD workflow yaml
Add tasks for Maven build and Sonar Scan
Run the workflow in GitHub hosted runner(Ubuntu)
Verify scan report in SonarQube

Рекомендации по теме

Комментарии

Thank you! More DevSecOps videos please

liban

Hi, how to view code coverage on SonarQube interface? In this example, code coverage is mentioned as zero. so how to bring code coverage from zip file to interface?

jasmiharidas

Hi coach,

Thanks for your response! But i guess you are not getting my question.. Here is my simple questions...could you please help me with the below questions.

1. Why do we need maven clean install step before including sonar qube analysis step in the github pipeline?

2. What sonar will analyze and give results. Will it analyze source code (.java) files or compiled code(.class files) or deployable artifact(jar/war)?

3. What mvn deloy sonar: sonar does?

4.Do we need any special access for creating a quality gate in sonar qube?

5.which is the best approach
Executing all mvn commands in single line or executing all commands separately?

Eg:

Mvn clean compile test package

Or

Mvn clean
Mvn compile
Mvn test
Mvn package
Mvn install
Man deploy

ppharini

Thanks for your response! But my question is, if we are analysing source code. Then we can include an analysis step before the maven clean install step right?

In the pipeline, we are giving maven clean install, then sonar scan step.. Is that right?

Does it mean, we are already converting the source code to deployable artifact na? Without sonar qube analysis?.. Which means.. We are already converting the source code to deployable artifact without sonar scan?

ppharini

Hi Sir, one question is it free to use SonarQube in Github Actions or I need to have the developer edition(pay version) of SonarQube?

barrientoscardenaslinofern

Is it possible to fail workflow build if SonarQube finds vulnerabilities?

liban

Sir....here u mentioned manual trigger, but how can it automatically trigger by push in main branch?

naren

hello sir, I forked your repo & tested but the action is failing.

kumarmummina

sir, how to setup github app for this to run this action

kumarmummina

I have one question..
will the sonar qube analyze the source code or compliled code or deployable artifact (war or jar)?

In this vedio, sonar qube analysis is giving after maven clean install. So in this case, war file is built before the sonar qube analysis. So does it mean sonar is analysing the deployable artifact?

ppharini

Hi, thanks for this details video. However, we encounter some issue when running the GitHub Actions as below: ERROR: Error during SonarScanner execution
Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property. We confirmed all the needed secrets keys and url has been provided in GitHub organization secrets (as we are using company Organization GitHub account), but it just showing the shared error - telling us it cannot proceed with the scanning due to this error. Can advise? Thanks.

KenAragorn

How to Integrate SonarQube with GitHub Actions | Automate Code Scan using SonarQube in GitHub Action

Sonarqube Complete Tutorial 2023

Sonarqube setup from scratch and Code analysis | [Latest 2024]

GitHub Integration | Mapping your organization into SonarQube

How to Integrate SonarQube With Jenkins

SonarQube Jenkins | How to Integrate SonarQube and Jenkins | Edureka

How to Integrate SonarQube with Azure DevOps | Automate Code Scan using SonarQube In Azure Pipelines

🔥Complete Integration of Sonarqube with Jenkins 🔥 || Part - 1 || engineerhoon

SonarQube Tutorial | Installing and Configuring SonarQube | What is SonarQube | Intellipaat

SonarQube Integration with Jenkins | How to integrate SonarQube with Jenkins |Code Quality Analysis

How to Integrate SonarQube with GitHub Actions | Automate Code Scan using SonarQube in GitHub Action

how to integrate Sonarqube with jenkins

GitLab Integration | Mapping your organization into SonarQube

How to configure sonarqube with Jenkins and Integration.

How to install and Configure SonarQube on Windows 11 and SonarQube as Windows Service | 2024 update

Azure DevOps Integration | Mapping your organization with SonarQube

Integrate Jenkins with Github and SonarQube || Code Quality Analysis with SonarQube

11 - DevOps Jenkins SonarQube Integration | Jenkins Pipeline Tutorial | Publish code to SonarQube

How to create Quality gates on Sonarqube [Latest 2024]

SonarQube Analysis in Jenkins Pipeline | SonarQube and Jenkins Integration | DevOps Real Project |15

DevOps Jenkins SonarQube Integration | Jenkins Pipeline Tutorial | Publish code to SonarQube

How to Integrate SonarQube with Azure Pipeline | How to integrate with SonarQube?

How to integrate sonarqube with spring boot?

Integrating SonarQube with Jenkins pipeline | SonarScanner for Maven Projects | SonarQube Jenkins

Sonarqube integration with Azure Devops