DEV Community

Cover image for GitHub SonarQube workflow — .Net
Sukhpinder Singh
Sukhpinder Singh

Posted on • Originally published at singhsukhpinder.Medium

GitHub SonarQube workflow — .Net

How to set up GitHub SonarQube workflow on a pull request for .Net repositories

Learning Objectives

  • How to set up SonarQube locally

  • Setup GitHub workflow with Sonar Cloud

  • Run SonarQube code analysis on pull request

Prerequisites

  • Download Git command line or Github Desktop

  • Need a .Net core or framework project created using Visual Studio or dotnet global command-line utility.

Getting Started

SonarQube enables developers to write cleaner and safer code.

Step 1: How to run setup SonarQube locally

Run locally for both .Net Core and .Net framework applications
Run SonarQube Locally — .Net
*How to run SonarQube locally for .Net solutions*medium.com

Step 2: Setup secrets in Github

**Settings Path: **Go to the repository on SonarCloud > Analysis Method > Github Actions

Copy the details of SONAR_TOKEN as shown below and click Continue.

The secret created in SonarCloud and add it into the repository settings, as shown below

NOTE: The secret added here will be used in the “.yml” file in the workflow.

Step 3: Go to the GitHub repository.

Click on the “Actions” tab and click on “Setup a workflow yourself,” as shown below.

Step 3: Add workflow code in the “.yml” file

We need to update the following code in the build.yml file.

  • token_in_sonar: the project token created in SonarCloud or sonar running locally.

  • org_name: Skip if not assigned to an organization on GitHub.

  • Sonar.hold.url: It can be a localhost URL or SonarCloud URL.

name: Build
on:
  push:
    branches:
      - develop
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  build:
    name: Build
    runs-on: windows-latest
    steps:
      - name: Set up JDK 11
        uses: actions/setup-java@v1
        with:
          java-version: 1.11
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Cache SonarCloud packages
        uses: actions/cache@v1
        with:
          path: ~\sonar\cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache SonarCloud scanner
        id: cache-sonar-scanner
        uses: actions/cache@v1
        with:
          path: .\.sonar\scanner
          key: ${{ runner.os }}-sonar-scanner
          restore-keys: ${{ runner.os }}-sonar-scanner
      - name: Install SonarCloud scanner
        if: steps.cache-sonar-scanner.outputs.cache-hit != 'true'
        shell: powershell
        run: |
          New-Item -Path .\.sonar\scanner -ItemType Directory
          dotnet tool update dotnet-sonarscanner --tool-path .\.sonar\scanner
      - name: Build and analyze
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        shell: powershell
        run: |
          .\.sonar\scanner\dotnet-sonarscanner begin /k:"token_in_sonar" /o:"orgname" /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
          dotnet build <.csproject file path>
          .\.sonar\scanner\dotnet-sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

Enter fullscreen mode Exit fullscreen mode

Attention

Build command differs for .Net Core and .Net Framework.

For .Net Core build command used in the “.yml” file

dotnet build <Path to cs proj or solution file>
Enter fullscreen mode Exit fullscreen mode

For .Net Framework build command used in the “.yml” file

MsBuild.exe /t:Rebuild
Enter fullscreen mode Exit fullscreen mode




Step 4: Initiate the workflow

After code editing, click on the start commit button in the top-right corner and then click “Commit new file.”

That’s it you have successfully integrated GitHub workflow to analyze a repository with .Net Framework or .Net Core code.

Notes:

Now for each pull request, two checks will happen

  • Code build

  • SonarQube Code Analysis

Ideally, the code should be merged to the main branch only if both checks pass. Both checks, as mentioned above, will run in sequence, so if the build fails, then sonar code analysis will also fail.

  • The workflow creates a new folder in the selected GitHub repository named “.github/workflow” which contains the “.yml” file.

  • Easy to update “.yml” file for any extra functionality.

Sample analysis report from GitHub

Thank you for reading. Keep visiting and share this in your network. Please put your thoughts and feedback in the comments section.

Follow me on LinkedIn Instagram Facebook Twitter

Buy Me A Coffee

Top comments (1)

Collapse
 
codericko profile image
Fredrick Chew

Probably I should also write my own blog... for those who does not feel comfy in send code to a 3rd party SonarCloud but still want to have a airgapped solution. Check out sonarless It has a cli for local scan + works in GitHub Action too. Essentially, it automates SonarQube install, setup and scanning on your local machine