├── .github ├── CODEOWNERS ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── PullRequestClosed.yml │ ├── PullRequestCreated.yml │ ├── RequestReview.yml │ ├── SubmitReview.yml │ ├── qa.yml │ └── update-tags.yml ├── .gitignore ├── LICENSE.txt ├── README.md ├── SECURITY.md ├── action.yml ├── images ├── SQ_Logo_Cloud_Dark_Backgrounds.png └── SQ_Logo_Cloud_Light_Backgrounds.png └── test ├── assertFileContains ├── assertFileDoesntExist └── assertFileExists /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | .github/CODEOWNERS @sonarsource/orchestration-processing-squad 2 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Part of 2 | 8 | -------------------------------------------------------------------------------- /.github/workflows/PullRequestClosed.yml: -------------------------------------------------------------------------------- 1 | name: Pull Request Closed 2 | 3 | on: 4 | pull_request: 5 | types: [closed] 6 | 7 | jobs: 8 | PullRequestClosed_job: 9 | name: Pull Request Closed 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | pull-requests: read 14 | # For external PR, ticket should be moved manually 15 | if: | 16 | github.event.pull_request.head.repo.full_name == github.repository 17 | steps: 18 | - id: secrets 19 | uses: SonarSource/vault-action-wrapper@v3 20 | with: 21 | secrets: | 22 | development/kv/data/jira user | JIRA_USER; 23 | development/kv/data/jira token | JIRA_TOKEN; 24 | - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2 25 | with: 26 | github-token: ${{secrets.GITHUB_TOKEN}} 27 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 28 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 29 | -------------------------------------------------------------------------------- /.github/workflows/PullRequestCreated.yml: -------------------------------------------------------------------------------- 1 | name: Pull Request Created 2 | 3 | on: 4 | pull_request: 5 | types: ["opened"] 6 | 7 | jobs: 8 | PullRequestCreated_job: 9 | name: Pull Request Created 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | # For external PR, ticket should be created manually 14 | if: | 15 | github.event.pull_request.head.repo.full_name == github.repository 16 | steps: 17 | - id: secrets 18 | uses: SonarSource/vault-action-wrapper@v3 19 | with: 20 | secrets: | 21 | development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; 22 | development/kv/data/jira user | JIRA_USER; 23 | development/kv/data/jira token | JIRA_TOKEN; 24 | - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2 25 | with: 26 | github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} 27 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 28 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 29 | jira-project: SCSCANGHA 30 | -------------------------------------------------------------------------------- /.github/workflows/RequestReview.yml: -------------------------------------------------------------------------------- 1 | name: Request review 2 | 3 | on: 4 | pull_request: 5 | types: ["review_requested"] 6 | 7 | jobs: 8 | RequestReview_job: 9 | name: Request review 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | # For external PR, ticket should be moved manually 14 | if: | 15 | github.event.pull_request.head.repo.full_name == github.repository 16 | steps: 17 | - id: secrets 18 | uses: SonarSource/vault-action-wrapper@v3 19 | with: 20 | secrets: | 21 | development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; 22 | development/kv/data/jira user | JIRA_USER; 23 | development/kv/data/jira token | JIRA_TOKEN; 24 | - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2 25 | with: 26 | github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} 27 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 28 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 29 | -------------------------------------------------------------------------------- /.github/workflows/SubmitReview.yml: -------------------------------------------------------------------------------- 1 | name: Submit Review 2 | 3 | on: 4 | pull_request_review: 5 | types: [submitted] 6 | 7 | jobs: 8 | SubmitReview_job: 9 | name: Submit Review 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | pull-requests: read 14 | # For external PR, ticket should be moved manually 15 | if: | 16 | github.event.pull_request.head.repo.full_name == github.repository 17 | && (github.event.review.state == 'changes_requested' 18 | || github.event.review.state == 'approved') 19 | steps: 20 | - id: secrets 21 | uses: SonarSource/vault-action-wrapper@v3 22 | with: 23 | secrets: | 24 | development/kv/data/jira user | JIRA_USER; 25 | development/kv/data/jira token | JIRA_TOKEN; 26 | - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2 27 | with: 28 | github-token: ${{secrets.GITHUB_TOKEN}} 29 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 30 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 31 | -------------------------------------------------------------------------------- /.github/workflows/qa.yml: -------------------------------------------------------------------------------- 1 | name: QA 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | pull_request: 8 | types: [opened, synchronize, reopened] 9 | 10 | jobs: 11 | argsInputTest: 12 | name: > 13 | 'args' input 14 | strategy: 15 | matrix: 16 | os: [ ubuntu-latest, windows-latest, macos-latest ] 17 | runs-on: ${{ matrix.os }} 18 | steps: 19 | - uses: actions/checkout@v4 20 | with: 21 | token: ${{ secrets.GITHUB_TOKEN }} 22 | - name: Run action with args 23 | uses: ./ 24 | with: 25 | args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties 26 | env: 27 | SONAR_TOKEN: FAKE_TOKEN 28 | - name: Assert 29 | run: | 30 | ./test/assertFileContains ./output.properties "sonar.someArg=aValue" 31 | projectBaseDirInputTest: 32 | name: > 33 | 'projectBaseDir' input 34 | strategy: 35 | matrix: 36 | os: [ ubuntu-latest, windows-latest, macos-latest ] 37 | runs-on: ${{ matrix.os }} 38 | steps: 39 | - uses: actions/checkout@v4 40 | with: 41 | token: ${{ secrets.GITHUB_TOKEN }} 42 | - run: | 43 | mkdir -p ./baseDir 44 | - name: Run action with projectBaseDir 45 | uses: ./ 46 | with: 47 | args: -Dsonar.scanner.internal.dumpToFile=./output.properties 48 | projectBaseDir: ./baseDir 49 | env: 50 | SONAR_TOKEN: FAKE_TOKEN 51 | - name: Assert 52 | run: | 53 | ./test/assertFileContains ./output.properties "sonar.projectBaseDir=.*/baseDir" 54 | scannerVersionTest: 55 | name: > 56 | 'scannerVersion' input 57 | runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64 58 | steps: 59 | - uses: actions/checkout@v4 60 | with: 61 | token: ${{ secrets.GITHUB_TOKEN }} 62 | - name: Run action with scannerVersion 63 | uses: ./ 64 | with: 65 | scannerVersion: 6.1.0.4477 66 | args: -Dsonar.scanner.internal.dumpToFile=./output.properties 67 | env: 68 | NO_CACHE: true # force install-sonar-scanner-cli.sh execution 69 | SONAR_HOST_URL: http://not_actually_used 70 | SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' 71 | - name: Assert 72 | run: | 73 | ./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.1.0.4477-linux-x64.zip" 74 | scannerBinariesUrlTest: 75 | name: > 76 | 'scannerBinariesUrl' input with invalid URL 77 | runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64 78 | steps: 79 | - uses: actions/checkout@v4 80 | with: 81 | token: ${{ secrets.GITHUB_TOKEN }} 82 | - name: Run action with scannerBinariesUrl 83 | id: runTest 84 | uses: ./ 85 | continue-on-error: true 86 | with: 87 | scannerVersion: 6.2.1.4610 88 | scannerBinariesUrl: https://invalid_uri/Distribution/sonar-scanner-cli 89 | env: 90 | NO_CACHE: true # force install-sonar-scanner-cli.sh execution 91 | SONAR_HOST_URL: http://not_actually_used 92 | SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' 93 | - name: Fail if action succeeded 94 | if: steps.runTest.outcome == 'success' 95 | run: exit 1 96 | - name: Assert Sonar Scanner CLI was not downloaded 97 | run: | 98 | ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip" 99 | - name: Assert Sonar Scanner CLI was not executed 100 | run: | 101 | ./test/assertFileDoesntExist ./output.properties 102 | -------------------------------------------------------------------------------- /.github/workflows/update-tags.yml: -------------------------------------------------------------------------------- 1 | name: Update Tags 2 | 3 | on: 4 | push: 5 | tags: 6 | - v*.*.* 7 | 8 | jobs: 9 | generate: 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | contents: write 13 | 14 | steps: 15 | - name: Checkout 16 | uses: actions/checkout@v4 17 | 18 | - name: Parse semver 19 | uses: madhead/semver-utils@40bbdc6e50b258c09f35f574e83c51f60d2ce3a2 # v4.0.0 20 | id: version 21 | with: 22 | version: ${{ github.ref_name }} 23 | 24 | - name: Update tags 25 | run: | 26 | TAGS='v${{ steps.version.outputs.major }} v${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }}' 27 | 28 | for t in $TAGS; do 29 | git tag -f "$t" 30 | git push origin ":$t" 2>/dev/null || true 31 | git push origin "$t" 32 | done 33 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | 9 | This version of the GNU Lesser General Public License incorporates 10 | the terms and conditions of version 3 of the GNU General Public 11 | License, supplemented by the additional permissions listed below. 12 | 13 | 0. Additional Definitions. 14 | 15 | As used herein, "this License" refers to version 3 of the GNU Lesser 16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 17 | General Public License. 18 | 19 | "The Library" refers to a covered work governed by this License, 20 | other than an Application or a Combined Work as defined below. 21 | 22 | An "Application" is any work that makes use of an interface provided 23 | by the Library, but which is not otherwise based on the Library. 24 | Defining a subclass of a class defined by the Library is deemed a mode 25 | of using an interface provided by the Library. 26 | 27 | A "Combined Work" is a work produced by combining or linking an 28 | Application with the Library. The particular version of the Library 29 | with which the Combined Work was made is also called the "Linked 30 | Version". 31 | 32 | The "Minimal Corresponding Source" for a Combined Work means the 33 | Corresponding Source for the Combined Work, excluding any source code 34 | for portions of the Combined Work that, considered in isolation, are 35 | based on the Application, and not on the Linked Version. 36 | 37 | The "Corresponding Application Code" for a Combined Work means the 38 | object code and/or source code for the Application, including any data 39 | and utility programs needed for reproducing the Combined Work from the 40 | Application, but excluding the System Libraries of the Combined Work. 41 | 42 | 1. Exception to Section 3 of the GNU GPL. 43 | 44 | You may convey a covered work under sections 3 and 4 of this License 45 | without being bound by section 3 of the GNU GPL. 46 | 47 | 2. Conveying Modified Versions. 48 | 49 | If you modify a copy of the Library, and, in your modifications, a 50 | facility refers to a function or data to be supplied by an Application 51 | that uses the facility (other than as an argument passed when the 52 | facility is invoked), then you may convey a copy of the modified 53 | version: 54 | 55 | a) under this License, provided that you make a good faith effort to 56 | ensure that, in the event an Application does not supply the 57 | function or data, the facility still operates, and performs 58 | whatever part of its purpose remains meaningful, or 59 | 60 | b) under the GNU GPL, with none of the additional permissions of 61 | this License applicable to that copy. 62 | 63 | 3. Object Code Incorporating Material from Library Header Files. 64 | 65 | The object code form of an Application may incorporate material from 66 | a header file that is part of the Library. You may convey such object 67 | code under terms of your choice, provided that, if the incorporated 68 | material is not limited to numerical parameters, data structure 69 | layouts and accessors, or small macros, inline functions and templates 70 | (ten or fewer lines in length), you do both of the following: 71 | 72 | a) Give prominent notice with each copy of the object code that the 73 | Library is used in it and that the Library and its use are 74 | covered by this License. 75 | 76 | b) Accompany the object code with a copy of the GNU GPL and this license 77 | document. 78 | 79 | 4. Combined Works. 80 | 81 | You may convey a Combined Work under terms of your choice that, 82 | taken together, effectively do not restrict modification of the 83 | portions of the Library contained in the Combined Work and reverse 84 | engineering for debugging such modifications, if you also do each of 85 | the following: 86 | 87 | a) Give prominent notice with each copy of the Combined Work that 88 | the Library is used in it and that the Library and its use are 89 | covered by this License. 90 | 91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 92 | document. 93 | 94 | c) For a Combined Work that displays copyright notices during 95 | execution, include the copyright notice for the Library among 96 | these notices, as well as a reference directing the user to the 97 | copies of the GNU GPL and this license document. 98 | 99 | d) Do one of the following: 100 | 101 | 0) Convey the Minimal Corresponding Source under the terms of this 102 | License, and the Corresponding Application Code in a form 103 | suitable for, and under terms that permit, the user to 104 | recombine or relink the Application with a modified version of 105 | the Linked Version to produce a modified Combined Work, in the 106 | manner specified by section 6 of the GNU GPL for conveying 107 | Corresponding Source. 108 | 109 | 1) Use a suitable shared library mechanism for linking with the 110 | Library. A suitable mechanism is one that (a) uses at run time 111 | a copy of the Library already present on the user's computer 112 | system, and (b) will operate properly with a modified version 113 | of the Library that is interface-compatible with the Linked 114 | Version. 115 | 116 | e) Provide Installation Information, but only if you would otherwise 117 | be required to provide such information under section 6 of the 118 | GNU GPL, and only to the extent that such information is 119 | necessary to install and execute a modified version of the 120 | Combined Work produced by recombining or relinking the 121 | Application with a modified version of the Linked Version. (If 122 | you use option 4d0, the Installation Information must accompany 123 | the Minimal Corresponding Source and Corresponding Application 124 | Code. If you use option 4d1, you must provide the Installation 125 | Information in the manner specified by section 6 of the GNU GPL 126 | for conveying Corresponding Source.) 127 | 128 | 5. Combined Libraries. 129 | 130 | You may place library facilities that are a work based on the 131 | Library side by side in a single library together with other library 132 | facilities that are not Applications and are not covered by this 133 | License, and convey such a combined library under terms of your 134 | choice, if you do both of the following: 135 | 136 | a) Accompany the combined library with a copy of the same work based 137 | on the Library, uncombined with any other library facilities, 138 | conveyed under the terms of this License. 139 | 140 | b) Give prominent notice with the combined library that part of it 141 | is a work based on the Library, and explaining where to find the 142 | accompanying uncombined form of the same work. 143 | 144 | 6. Revised Versions of the GNU Lesser General Public License. 145 | 146 | The Free Software Foundation may publish revised and/or new versions 147 | of the GNU Lesser General Public License from time to time. Such new 148 | versions will be similar in spirit to the present version, but may 149 | differ in detail to address new problems or concerns. 150 | 151 | Each version is given a distinguishing version number. If the 152 | Library as you received it specifies that a certain numbered version 153 | of the GNU Lesser General Public License "or any later version" 154 | applies to it, you have the option of following the terms and 155 | conditions either of that published version or of any later version 156 | published by the Free Software Foundation. If the Library as you 157 | received it does not specify a version number of the GNU Lesser 158 | General Public License, you may choose any version of the GNU Lesser 159 | General Public License ever published by the Free Software Foundation. 160 | 161 | If the Library as you received it specifies that a proxy can decide 162 | whether future versions of the GNU Lesser General Public License shall 163 | apply, that proxy's public statement of acceptance of any version is 164 | permanent authorization for you to choose that version for the 165 | Library. 166 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Scan your code with SonarQube Cloud [![QA](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml) 2 | 3 | > [!WARNING] 4 | > This action is deprecated and will be removed in a future release. 5 | > Please use the `sonarqube-scan-action` action instead. 6 | > The `sonarqube-scan-action` is a drop-in replacement for this action, you can find it [here](https://github.com/marketplace/actions/official-sonarqube-scan). 7 | 8 | This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/). 9 | 10 | ![Logo](./images/SQ_Logo_Cloud_Dark_Backgrounds.png#gh-dark-mode-only) 11 | ![Logo](./images/SQ_Logo_Cloud_Light_Backgrounds.png#gh-light-mode-only) 12 | 13 | SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection. 14 | 15 | It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). 16 | 17 | The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability. 18 | 19 | ## Requirements 20 | 21 | * Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case! 22 | * The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. 23 | 24 | ## Usage 25 | 26 | Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory: 27 | 28 | ```properties 29 | sonar.organization= 30 | sonar.projectKey= 31 | 32 | # relative paths to source directories. More details and properties are described 33 | # at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/ 34 | sonar.sources=. 35 | ``` 36 | 37 | The workflow, usually declared under `.github/workflows`, looks like: 38 | 39 | ```yaml 40 | on: 41 | # Trigger analysis when pushing to your main branches, and when creating a pull request. 42 | push: 43 | branches: 44 | - main 45 | - master 46 | - develop 47 | - 'releases/**' 48 | pull_request: 49 | types: [opened, synchronize, reopened] 50 | 51 | name: Main Workflow 52 | jobs: 53 | sonarqube: 54 | runs-on: ubuntu-latest 55 | steps: 56 | - uses: actions/checkout@v4 57 | with: 58 | # Disabling shallow clones is recommended for improving the relevancy of reporting 59 | fetch-depth: 0 60 | - name: SonarQube Scan 61 | uses: sonarsource/sonarcloud-github-action@ # Ex: v4.0.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan 62 | env: 63 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} 64 | ``` 65 | 66 | ## Action parameters 67 | 68 | You can change the analysis base directory by using the optional input `projectBaseDir` like this: 69 | 70 | ```yaml 71 | - uses: sonarsource/sonarcloud-github-action@ 72 | with: 73 | projectBaseDir: app/src 74 | ``` 75 | 76 | In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option: 77 | 78 | ```yaml 79 | - uses: sonarsource/sonarcloud-github-action@ 80 | with: 81 | scannerVersion: 6.2.0.4584 82 | ``` 83 | 84 | In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option: 85 | 86 | ```yaml 87 | - uses: sonarsource/sonarcloud-github-action@ 88 | with: 89 | projectBaseDir: app/src 90 | args: > 91 | -Dsonar.organization=my-organization 92 | -Dsonar.projectKey=my-projectkey 93 | -Dsonar.python.coverage.reportPaths=coverage.xml 94 | -Dsonar.sources=lib/ 95 | -Dsonar.tests=tests/ 96 | -Dsonar.test.exclusions=tests/** 97 | -Dsonar.verbose=true 98 | ``` 99 | 100 | You can also specify the URL where to retrieve the SonarScanner CLI from. 101 | The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`. 102 | This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet: 103 | 104 | ```yaml 105 | - uses: sonarsource/sonarcloud-github-action@ 106 | with: 107 | scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/ 108 | ``` 109 | 110 | More information about possible analysis parameters can be found in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation. 111 | 112 | ### Environment variables 113 | 114 | - `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the [documentation](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). 115 | - *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).* 116 | - `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of a secured proxy to SonarQube Cloud. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). 117 | 118 | Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore: 119 | 120 | ```yaml 121 | - uses: sonarsource/sonarcloud-github-action@ 122 | env: 123 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} 124 | SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} 125 | ``` 126 | 127 | If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this: 128 | 129 | ```yaml 130 | - uses: sonarsource/sonarcloud-github-action@ 131 | env: 132 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} 133 | LC_ALL: "ru_RU.UTF-8" 134 | ``` 135 | 136 | ## Alternatives for Java, .NET, and C/C++ projects 137 | 138 | This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives: 139 | 140 | * Your code is built with Maven. Read the documentation about our [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/). 141 | * Your code is built with Gradle. Read the documentation about our [SonarScanner for Gradle](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/). 142 | * You want to analyze a .NET solution. Read the documentation about our [SonarScanner for .NET](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/). 143 | * You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to the [SonarQube Cloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) GitHub Action - look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=). 144 | 145 | ## Have questions or feedback? 146 | 147 | To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sc/9/github-actions). 148 | 149 | ## License 150 | 151 | Container images built with this project include third-party materials. 152 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Reporting Security Issues 2 | 3 | A mature software vulnerability treatment process is a cornerstone of a robust information security management system. Contributions from the community play an important role in the evolution and security of our products, and in safeguarding the security and privacy of our users. 4 | 5 | If you believe you have discovered a security vulnerability in Sonar's products, we encourage you to report it immediately. 6 | 7 | To responsibly report a security issue, please email us at [security@sonarsource.com](mailto:security@sonarsource.com). Sonar’s security team will acknowledge your report, guide you through the next steps, or request additional information if necessary. Customers with a support contract can also report the vulnerability directly through the support channel. 8 | 9 | For security vulnerabilities found in third-party libraries, please also contact the library's owner or maintainer directly. 10 | 11 | ## Responsible Disclosure Policy 12 | 13 | For more information about disclosing a security vulnerability to Sonar, please refer to our community post: [Responsible Vulnerability Disclosure](https://community.sonarsource.com/t/responsible-vulnerability-disclosure/9317). -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: SonarQube Cloud Scan 2 | description: > 3 | Scan your code with SonarQube Cloud to detect coding issues in 30+ 4 | languages. (Formerly SonarCloud) 5 | branding: 6 | icon: check 7 | color: green 8 | inputs: 9 | args: 10 | description: Additional arguments to the Sonar Scanner CLI 11 | required: false 12 | projectBaseDir: 13 | description: Set the sonar.projectBaseDir analysis property 14 | required: false 15 | scannerVersion: 16 | description: Version of the Sonar Scanner CLI to use 17 | required: false 18 | # to be kept in sync with the default version in the sonarqube-scan-action 19 | default: 7.0.2.4839 20 | scannerBinariesUrl: 21 | description: URL to download the Sonar Scanner CLI binaries from 22 | required: false 23 | default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli 24 | runs: 25 | using: "composite" 26 | steps: 27 | - name: Deprecation warning 28 | shell: bash 29 | run: | 30 | echo "::warning title=SonarScanner::This action is deprecated and will be removed in a future release. Please use the sonarqube-scan-action action instead. The sonarqube-scan-action is a drop-in replacement for this action." 31 | - name: SonarQube Cloud Scan 32 | uses: SonarSource/sonarqube-scan-action@v5.0.0 33 | with: 34 | args: ${{ inputs.args }} 35 | projectBaseDir: ${{ inputs.projectBaseDir }} 36 | scannerVersion: ${{ inputs.scannerVersion }} 37 | scannerBinariesUrl: ${{ inputs.scannerBinariesUrl }} 38 | -------------------------------------------------------------------------------- /images/SQ_Logo_Cloud_Dark_Backgrounds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SonarSource/sonarcloud-github-action/13a24e453e2e6262f3bb0c5fa8241031e637a028/images/SQ_Logo_Cloud_Dark_Backgrounds.png -------------------------------------------------------------------------------- /images/SQ_Logo_Cloud_Light_Backgrounds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SonarSource/sonarcloud-github-action/13a24e453e2e6262f3bb0c5fa8241031e637a028/images/SQ_Logo_Cloud_Light_Backgrounds.png -------------------------------------------------------------------------------- /test/assertFileContains: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eo pipefail 4 | 5 | error() { echo -e "\\e[31m✗ $*\\e[0m"; } 6 | 7 | . ${BASH_SOURCE%/*}/assertFileExists $1 8 | 9 | if ! grep -q $2 $1; then 10 | error "'$2' not found in '$1'" 11 | cat $1 12 | exit 1 13 | fi -------------------------------------------------------------------------------- /test/assertFileDoesntExist: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | error() { echo -e "\\e[31m✗ $*\\e[0m"; } 4 | 5 | if [ -f $1 ]; then 6 | error "File '$1' found" 7 | exit 1 8 | fi -------------------------------------------------------------------------------- /test/assertFileExists: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eo pipefail 4 | 5 | error() { echo -e "\\e[31m✗ $*\\e[0m"; } 6 | 7 | if [ ! -f $1 ]; then 8 | error "File '$1' not found" 9 | exit 1 10 | fi --------------------------------------------------------------------------------