In this image are combined:
- SonarQube Scanner Cli
- OWASP DependencyCheck
- Adding a project to SonarQube and syncing the default branch
- Syncing SonarQube and Gitlab entitlements via guassp
- Running tests for .Net
- Code coverage request from SonarQube
Special thanks to WoozyMasta for the utility guassp.
You need to pass arguments to build.:
SONAR_SCANNER_VERSION
=5.0.1.3006
- version of the scanner, you can take in project repositories sonar-scanner-cliDOTNET_SONARSCANNER_VERSION
=6.0
- dotnet-sonarscanner versionGRADLE_VERSION
=8.1.1
- gradle versionPOSTGRES_DRIVER_VERSION
=42.7.0
- postgres driver versionMYSQL_DRIVER_VERSION
=8.2.0
- mysql driver versionDEPENDENCY_CHECK_VERSION
=9.0.7
- DependencyCheck version
To speed up the passage of the stage, you can pack all the necessary plugins and SonarQube bases into the image during assembly, to do this, pass the variables during the assembly:
SONARQUBE_TOKEN
=XXTOKENXX
- SonarQube token, must have rights to create projects and perform analysisSONARQUBE_URL
=https://sonarqube.com
- SonarQube URL
And at the end of the RUN
section of the Dockerfile, add:
mkdir -p "$SRC_PATH" "$SONAR_USER_HOME" "$SONAR_USER_HOME/cache"; \
sonar-scanner \
-Dsonar.qualitygate.wait=false \
-Dsonar.projectKey=self-build \
-Dsonar.host.url="$SONARQUBE_URL" \
-Dsonar.login="$SONARQUBE_TOKEN" \
-Dsonar.dryRun=true \
-Dsonar.exclusions='**/dependency-check/bin/*'
The current cache of plugins will be packed into the image in the directory
/opt/sonar-scanner/.sonar
sentoz/multi-sonarqube-scanner-cli:0.2.1
This image allows you to scan projects implemented in languages:
- typescript|javascript
- python
- go
- ruby
- shell
- html
- css
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-3.1
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-5.0
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-6.0
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-7.0
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-8.0
Each image is built on the latest stable version of .Net
, includes
dotnet sonarscanner
and reportgenerator
.
sentoz/multi-sonarqube-scanner-cli:0.2.1-gradle-8.1.1
sentoz/multi-sonarqube-scanner-cli:0.2.1-gradle-7.3.3
The gradle binaries of the latest stable version are packed into the image.
DEFAULT_BRANCH
=$GITHUB_BASE_REF
COMMIT_BRANCH
=$GITHUB_REF_NAME
COMMIT_TAG
=${GITHUB_REF#"refs/tags/"}
JOB_TOKEN
=$GITHUB_TOKEN
PROJECT_DIR
=$GITHUB_WORKSPACE
REF_NAME
=$GITHUB_REF_NAME
MERGE_REQUEST_ID
=$GITHUB_RUN_ID
COMMIT_REF_SLUG
=$GITHUB_REF_NAME
PROJECT_NAME
=${GITHUB_REPOSITORY#*/}
PROJECT_URL
=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY
DEFAULT_BRANCH
=$CI_DEFAULT_BRANCH
COMMIT_BRANCH
=$CI_COMMIT_BRANCH
COMMIT_TAG
=$CI_COMMIT_TAG
PROJECT
=$CI_PROJECT_ID
JOB_TOKEN
=$CI_JOB_TOKEN
PROJECT_DIR
=$CI_PROJECT_DIR
REF_NAME
=$CI_COMMIT_REF_NAME
MERGE_REQUEST_ID
=$CI_MERGE_REQUEST_IID
PROJECT_NAME
=$CI_PROJECT_NAME
COMMIT_REF_SLUG
=$CI_COMMIT_REF_SLUG
SONARQUBE_ALM_NAME
=GitLab
JOB_TOKEN
=$CI_JOB_TOKEN
PROJECT_URL
=$CI_PROJECT_URL
SONARQUBE_URL
- SonarQube server addressSONARQUBE_TOKEN
- Token for connecting to SonarQubeSONARQUBE_CUSTOM_ARGS
- A list of custom keys for SonarScaner separated by a comma, for example:sonar.exclusions=/path, sonar.test.exclusions=/path2
SONARQUBE_GENERIC_REPORTS_FILE
=$PROJECT_DIR/issues.json
- File with generic reportsSONARQUBE_QUALITYGATE_WAIT
=true
- waiting to receive the Quality Gate statusSONARQUBE_QUALITYGATE_TIMEOUT
=300
- Quality Gate timeoutSONARQUBE_LOG_LEVEL
=INFO
- Logging Level SonarQube ScannerSONARQUBE_VERBOSE
=true
- more information in the analysis logSONARQUBE_PYTHON_VERSION
=3
- python versionSONARQUBE_ALOW_FAILURE
=false
- Criticality of falling stage SonarQube Scanner.
SONARQUBE_PROJECT_NAME
=$GITHUB_REPOSITORY
SONARQUBE_PROJECT_KEY
=${GITHUB_REPOSITORY#*/}
SONARQUBE_PROJECT_NAME
=$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
SONARQUBE_PROJECT_KEY
=gitlab:$CI_PROJECT_ID
To speed up the passage of the pipeline, dependency check can store the database of vulnerabilities in a separate database and, at the start of the check, take data from it, and not download it from the Internet at each start.
OWASP_DEPENDENCY_CHECK_DB_DRIVER
=org.postgresql.Driver
- Database driver used(org.postgresql.Driver or com.mysql.jdbc.Driver)OWASP_DEPENDENCY_CHECK_DB_STRING
- database connection stringOWASP_DEPENDENCY_CHECK_DB_PASSWORD
- database connection passwordOWASP_DEPENDENCY_CHECK_DB_USER
- username to connect to the databaseOWASP_DEPENDENCY_CHECK_NVD_VALID_HOURS
-24
- The number of hours after which the NVD will check for a database update.
OWASP_DEPENDENCY_CHECK_SEVERITY_BLOCKER
-9.0
OWASP_DEPENDENCY_CHECK_SEVERITY_CRITICAL
-7.0
OWASP_DEPENDENCY_CHECK_SEVERITY_MAJOR
-4.0
OWASP_DEPENDENCY_CHECK_SEVERITY_MINOR
-0.0
OWASP_DEPENDENCY_CHECK_DISABLE_OSS_INDEX
-true
- Disabling OSS IndexOWASP_DEPENDENCY_CHECK_OSS_INDEX_USERNAME
- Username to connect to Sonatype's OSS Index (optional)OWASP_DEPENDENCY_CHECK_OSS_INDEX_PASSWORD
- Password to connect to Sonatype OSS Index(optional)
OWASP_DEPENDENCY_CHECK_SUPPRESSIONS_FILE_PATH
-$PROJECT_DIR/suppression.xml
- Use suppression file to remove false positives if any.
If you want to connect sources using nuget.config, then it must be placed in the same directory as the *.sln file according to the official documentation
NUGET_PRIVATE_REGISTRY_URL
- Address to private package registry (optional)NUGET_PRIVATE_REGISTRY_USERNAME
- Username for authorization in the private package registry (optional)NUGET_PRIVATE_REGISTRY_TOKEN
- Token for authorization in the private package registry (optional)NUGET_REGISTRY_URL
- Address to the public caching package registry (optional)
DOTNET_PROJECT_CONFIGURATION
=Debug
- Build ConfigurationDOTNET_VERBOSITY
=minimal
- Logging levelDOTNET_CUSTOM_BUILD_ARGUMENTS
- Custom Application Build ArgumentsDOTNET_CUSTOM_TEST_ARGUMENTS
- Custom Application Test ArgumentsDOTNET_WORK_DIR
=$PROJECT_DIR
- Directory with sln file (optional)DOTNET_CSPROJ_FILE_PATH
- Path to csproj application file (optional)DOTNET_CSPROJ_FILE_TEST_PATH
- Path to csproj test file (optional)DOTNET_RESTORE_ATTEMPT_COUNT
- Number of execution attemptsdotnet restore
in case of a fall
SKIP_DOTNET_TEST
=false
- Skipping tests for .Net
SKIP_DEPENDENCY_CHECK_JOB
=false
- Skip DependencyCheck ScanSKIP_SONARQUBE_PREPARE
=false
- Skip project preconfiguration in SonarQubeSKIP_SONARQUBE_SCANNER_JOB
=false
- Skip SonarQube ScannerSKIP_SONARQUBE_PERMISSIONS_SYNC
=false
- Skip rights syncSKIP_SONARQUBE_COVERAGE
=false
- Skip code coverage request
SUPPORT_CONTACTS
=https://github.com/sentoz/multi-sonarqube-scanner-cli/issues
- Contacts for feedback