Skip to content

SonarQube Setup

Jump to bottom
Nicolas Santos edited this page Feb 26, 2021 · 2 revisions

This document aims to guide the reader to do some basic setup and run static code analysis on its projects. SonarQube is an open-source platform for continuous inspection of code quality, perform automatic reviews, detect bugs, code smells, and security vulnerabilities.

Rootstrap counts with its instance of SonarQube, this tool can be used both for code audit and SDLC, to get specific results and improve the quality of the software we develop. To perform the analysis scan we can follow two approaches, run the scan from our local machine or integrate the scan to GitHub through Github Action flows.

Create a new project

  1. Login to SonarQube dashboard with your Gmail account: https://sonarqube-developers.example.net/

A. On the top-right corner click on + and then create a new project

B. Define a project key and name, we strongly recommend using the same value for these 2 fields also try to make them match with your GitHub repository name. Save the project key, you will need it later to run the scanner for the project.

  1. Generate a token for the project

A. Select a token name related to the project. You will be able to manage your tokens from here.

B. Save the generated token, you will need it to run the scanner for the project. Next step (2) is informative and can be omitted, now you are ready to run the scan.

Running the scanner from your machine

In order to run the scan process, download SonarScanner tool (is opensource and cross-platform). After that, you will need to make some small configurations, the following steps assume that you have a local folder with the project's code under PROJECT_PATH and your sonar scanner download is under SONAR_SCANNER_PATH

  1. Set an alias to use anywhere, edit your ~/.bash_profile adding the following line at the end, after that save the file and open a new terminal window (or simply run source ~/.bash_profile).
alias sonar-scanner="*SONAR_SCANNER_PATH*/bin/sonar-scanner"
  1. Edit the configuration file in your sonar scanner installation under SONAR_SCANNER_PATH/conf/sonar-scanner.properties 
#----- SonarQube server configuration
sonar.host.url=https://sonarqube-developers.example.net
  1. Create a configuration file in your project's root directory (PROJECT_PATH) called sonar-project.properties and adapt the parameters as you need, don't forget to provide PROJECT_KEY and PROJECT_TOKEN values created in the previous steps.
#----- Project Configuration
sonar.sources=.
sonar.projectBaseDir=.
sonar.projectKey=PROJECT_KEY
sonar.login=PROJECT_TOKEN
sonar.projectVersion=1.0.0
  1. To perform the scan run the following command under PROJECT_PATH:
sonar-scanner

After that you will see the scanner results in the SonarQube dashboard. All the files generated by sonar-scanner can be ignored if you are working on a code repository.

Running the scanner from a GitHub repository

We are using GitHub Actions for our CI workflows, and you can easily configure Sonarqube as an additional step when defining the workflow for your project.

After completing the steps for setting up a new project, this additional steps are required:

  1. Store the values of the Sonar host and token for your projects as repository Secrets.

    Go to Settings —> Secrets —> New Secret (requires ownership on the repo)

  2. Include the required environment variables pointing to the corresponding Secrets

env:
  ...
  SONAR_PROJECT: react-native-base
  SONAR_URL: ${{ secrets.SONAR_URL }}
  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  1. Add the steps to your workflow for setting up the Sonar Scanner and execute it
  • warchant/setup-sonar-scanner@v3 is a third-party Action which downloads the desired version of Sonar (defaults to latest) and adds it to the PATH
  • The below example passes execution params through the console invocation, which override any set in sonar-project.properties (at least the values SONAR_URL and SONAR_TOKEN should not be stored in plain text in this file)
  • Make sure to include the right path to your test coverage report; for example for React Native we generate them using yarn test:cover and the resulting report file that Sonar will parse is located in $(PROJECT_ROOT)/coverage/lcov.info 
		- name: Setup sonar scanner
      uses: warchant/setup-sonar-scanner@v3

    - name: Run Sonarqube analysis
      run: |
        sonar-scanner \
          -Dsonar.qualitygate.wait=true \
          -Dsonar.host.url=$SONAR_URL \
          -Dsonar.login=$SONAR_TOKEN \
          -Dsonar.projectKey=$SONAR_PROJECT \
          -Dsonar.scm.provider=git \
          -Dsonar.java.binaries=/tmp \
          -Dsonar.nodejs.executable=$(which node) \
          -Dsonar.projectVersion=$(echo $GITHUB_SHA | cut -c1-8) \
          -Dsonar.sources=. \
          -Dsonar.projectBaseDir=. \
          -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info

A full example of a GitHub Actions workflow with this integration for React Native can be found here

Clone this wiki locally