How to set up GitHub SonarQube workflow on a pull request for .Net repositories
Learning Objectives
How to set up SonarQube locally
Setup GitHub workflow with Sonar Cloud
Run SonarQube code analysis on pull request
Prerequisites
Download Git command line or Github Desktop
Need a .Net core or framework project created using Visual Studio or dotnet global command-line utility.
Getting Started
SonarQube enables developers to write cleaner and safer code.
Step 1: How to run setup SonarQube locally
Run locally for both .Net Core and .Net framework applications
Run SonarQube Locally — .Net
*How to run SonarQube locally for .Net solutions*medium.com
Step 2: Setup secrets in Github
**Settings Path: **Go to the repository on SonarCloud > Analysis Method > Github Actions
Copy the details of SONAR_TOKEN as shown below and click Continue.
The secret created in SonarCloud and add it into the repository settings, as shown below
NOTE: The secret added here will be used in the “.yml” file in the workflow.
Step 3: Go to the GitHub repository.
Click on the “Actions” tab and click on “Setup a workflow yourself,” as shown below.
Step 3: Add workflow code in the “.yml” file
We need to update the following code in the build.yml file.
token_in_sonar: the project token created in SonarCloud or sonar running locally.
org_name: Skip if not assigned to an organization on GitHub.
Sonar.hold.url: It can be a localhost URL or SonarCloud URL.
name: Build
on:
push:
branches:
- develop
pull_request:
types: [opened, synchronize, reopened]
jobs:
build:
name: Build
runs-on: windows-latest
steps:
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 1.11
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Cache SonarCloud packages
uses: actions/cache@v1
with:
path: ~\sonar\cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache SonarCloud scanner
id: cache-sonar-scanner
uses: actions/cache@v1
with:
path: .\.sonar\scanner
key: ${{ runner.os }}-sonar-scanner
restore-keys: ${{ runner.os }}-sonar-scanner
- name: Install SonarCloud scanner
if: steps.cache-sonar-scanner.outputs.cache-hit != 'true'
shell: powershell
run: |
New-Item -Path .\.sonar\scanner -ItemType Directory
dotnet tool update dotnet-sonarscanner --tool-path .\.sonar\scanner
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
shell: powershell
run: |
.\.sonar\scanner\dotnet-sonarscanner begin /k:"token_in_sonar" /o:"orgname" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
dotnet build <.csproject file path>
.\.sonar\scanner\dotnet-sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
Attention
Build command differs for .Net Core and .Net Framework.
For .Net Core build command used in the “.yml” file
dotnet build <Path to cs proj or solution file>
For .Net Framework build command used in the “.yml” file
MsBuild.exe /t:Rebuild
Step 4: Initiate the workflow
After code editing, click on the start commit button in the top-right corner and then click “Commit new file.”
That’s it you have successfully integrated GitHub workflow to analyze a repository with .Net Framework or .Net Core code.
Notes:
Now for each pull request, two checks will happen
Code build
SonarQube Code Analysis
Ideally, the code should be merged to the main branch only if both checks pass. Both checks, as mentioned above, will run in sequence, so if the build fails, then sonar code analysis will also fail.
The workflow creates a new folder in the selected GitHub repository named “.github/workflow” which contains the “.yml” file.
Easy to update “.yml” file for any extra functionality.
Sample analysis report from GitHub
Thank you for reading. Keep visiting and share this in your network. Please put your thoughts and feedback in the comments section.
Top comments (1)
Probably I should also write my own blog... for those who does not feel comfy in send code to a 3rd party SonarCloud but still want to have a airgapped solution. Check out sonarless It has a cli for local scan + works in GitHub Action too. Essentially, it automates SonarQube install, setup and scanning on your local machine