Skip to main content
Version: Next

SonarQube Scan Workflow

View Source

Run SonarQube or SonarCloud code quality analysis.

Overviewโ€‹

This workflow performs comprehensive code quality analysis using SonarQube or SonarCloud, checking for bugs, vulnerabilities, code smells, and code coverage.

When to Useโ€‹

  • โœ… You need code quality analysis
  • โœ… You want to track technical debt
  • โœ… You need security vulnerability scanning
  • โœ… You want code coverage tracking

Inputsโ€‹

InputTypeDefaultDescription
sonar_platformstring'sonarcloud'Platform (sonarcloud, sonarqube)
sonar_organizationstring''SonarCloud organization
sonar_project_keystring''Project key
coverage_pathsstring'coverage.xml'Coverage report paths
sourcesstring'src'Source code paths

Secretsโ€‹

SecretRequiredDescription
sonar_tokenYesSonarCloud/SonarQube token

Outputsโ€‹

OutputDescription
quality_gate_statusQuality gate pass/fail status
analysis_urlURL to analysis results

Usage Examplesโ€‹

SonarCloud Analysisโ€‹

jobs:
  test:
    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_run_test.yaml@master
    with:
      python_version: '3.11'
      test_type: unit-test
      all_test_items_paths: test/unit_test/

  sonar:
    needs: test
    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_sonarqube_scan.yaml@master
    secrets:
      sonar_token: ${{ secrets.SONAR_TOKEN }}
    with:
      sonar_platform: sonarcloud
      sonar_organization: my-org
      sonar_project_key: my-project

SonarQube Analysisโ€‹

jobs:
  sonar:
    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_sonarqube_scan.yaml@master
    secrets:
      sonar_token: ${{ secrets.SONARQUBE_TOKEN }}
    with:
      sonar_platform: sonarqube
      sonar_project_key: my-project
      sources: 'src,lib'

With Coverageโ€‹

jobs:
  test:
    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_run_test.yaml@master
    with:
      python_version: '3.11'
      test_type: unit-test
      all_test_items_paths: test/

  organize-coverage:
    needs: test
    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_organize_test_cov_reports.yaml@master
    with:
      test_type: all-tests

  sonar:
    needs: organize-coverage
    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_sonarqube_scan.yaml@master
    secrets:
      sonar_token: ${{ secrets.SONAR_TOKEN }}
    with:
      sonar_platform: sonarcloud
      sonar_organization: my-org
      sonar_project_key: my-project
      coverage_paths: 'coverage.xml'

How It Worksโ€‹

Step 1: Download Coverageโ€‹

Downloads coverage reports from previous jobs:

- uses: actions/download-artifact@v4
  with:
    name: coverage-reports

Step 2: Run SonarScannerโ€‹

Executes SonarScanner analysis:

sonar-scanner \
  -Dsonar.organization=$SONAR_ORG \
  -Dsonar.projectKey=$PROJECT_KEY \
  -Dsonar.sources=$SOURCES \
  -Dsonar.python.coverage.reportPaths=$COVERAGE_PATHS \
  -Dsonar.host.url=https://sonarcloud.io

Step 3: Quality Gate Checkโ€‹

Checks quality gate status:

curl -u $SONAR_TOKEN: \
  "https://sonarcloud.io/api/qualitygates/project_status?projectKey=$PROJECT_KEY"

Configurationโ€‹

sonar-project.propertiesโ€‹

Create configuration file:

sonar.projectKey=my-project
sonar.organization=my-org
sonar.sources=src
sonar.tests=test
sonar.python.coverage.reportPaths=coverage.xml
sonar.python.version=3.11

# Exclusions
sonar.exclusions=**/migrations/**,**/tests/**
sonar.coverage.exclusions=**/tests/**,**/__init__.py

Quality Gateโ€‹

Configure quality gate rules:

  • Coverage: Minimum 80%
  • Duplications: Maximum 3%
  • Maintainability: A rating
  • Reliability: A rating
  • Security: A rating

Metrics Trackedโ€‹

Code Qualityโ€‹

  • Bugs: Potential bugs
  • Vulnerabilities: Security issues
  • Code Smells: Maintainability issues
  • Technical Debt: Estimated fix time

Coverageโ€‹

  • Line Coverage: % of lines covered
  • Branch Coverage: % of branches covered
  • Condition Coverage: % of conditions covered

Complexityโ€‹

  • Cyclomatic Complexity: Code complexity
  • Cognitive Complexity: Understanding difficulty

Duplicationsโ€‹

  • Duplicated Lines: % of duplicated code
  • Duplicated Blocks: Number of duplications

Best Practicesโ€‹

1. Configure Exclusionsโ€‹

Exclude non-production code:

sonar.exclusions=**/tests/**,**/migrations/**,**/__pycache__/**
sonar.coverage.exclusions=**/tests/**

2. Set Quality Gatesโ€‹

Define minimum standards:

sonar.qualitygate.wait=true
sonar.qualitygate.timeout=300

3. Track Coverageโ€‹

Include coverage reports:

sonar.python.coverage.reportPaths=coverage.xml,coverage-*.xml

4. Regular Scansโ€‹

Run on every PR and merge:

on:
  pull_request:
  push:
    branches: [main]

Troubleshootingโ€‹

Analysis Failsโ€‹

Symptoms:

  • SonarScanner errors
  • Authentication failures

Solutions:

  1. Verify token:

    secrets:
      sonar_token: ${{ secrets.SONAR_TOKEN }}

  2. Check project key

  3. Verify organization name

Coverage Not Showingโ€‹

Symptoms:

  • 0% coverage in SonarCloud
  • Coverage report not found

Solutions:

  1. Verify coverage path:

    coverage_paths: 'coverage.xml'

  2. Check coverage format (must be XML)

  3. Ensure coverage artifact uploaded

Quality Gate Failsโ€‹

Symptoms:

  • Quality gate status: FAILED
  • Metrics below threshold

Solutions:

  1. Review analysis results
  2. Fix identified issues
  3. Adjust quality gate settings
  4. Improve test coverage

Additional Resourcesโ€‹