Code Analysis with SonarCloud and Github Actions

Code Analysis with SonarCloud and Github Actions

And examples for .NET projects also

In some of my previous posts, I mentioned that I use SonarCloud to do code analysis. By integrating SonarCloud with GitHub Actions, you can easily set up a pipeline that automatically runs a code analysis on every commit, providing real-time feedback on the quality of your code.

To use GitHub Actions and SonarCloud together, you will first need to create a new workflow file in your GitHub repository. This file should be named .github/workflows/sonarcloud.yml, and it should contain the following code:

name: SonarCloud

on: [push]

jobs:
  sonarcloud:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: SonarCloud Analysis
        uses: sonarsource/sonarcloud-github-action@v1.8
        with:
          args: >
            -Dsonar.organization=<sonarcloud-organization>
            -Dsonar.projectKey=<project-key-from-sonarcloud>
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

In this code, <sonarcloud-organization> should be replaced with the name of your organization on SonarCloud and <project-key-from-sonarcloud> should be replaced with the key from SonarCloud. You will also need to create a new secret in your repository settings, called SONAR_TOKEN, which should contain a token that allows the workflow to authenticate with SonarCloud.

Once you have created the workflow file, you can push any code changes to your repository, and the workflow will automatically run on the latest commit. The results of the analysis will be available on the SonarCloud website, where you can view detailed reports and insights into the quality of your code.

Analyzing .NET projects

To use GitHub Actions to do a SonarCloud analysis of a .NET repository, you will need to use a slightly different workflow file than the one provided in the previous example. This is because the .NET build process is slightly different than the one used for other languages. You need to add this snippet:

      - name: Setup .NET Core
        uses: actions/setup-dotnet@v1
        with:
          dotnet-version: 3.1.x
      - name: Build and test
        run: dotnet build --configuration Release

So that the final file looks like this:


name: SonarCloud

on: [push]

jobs:
  sonarcloud:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup .NET Core
        uses: actions/setup-dotnet@v1
        with:
          dotnet-version: 3.1.x
      - name: Build and test
        run: dotnet build --configuration Release
      - name: SonarCloud Analysis
        uses: SonarSource/sonarcloud-github-action@v1.8
        with:
          args: >
            -Dsonar.organization=<sonarcloud-organization>
            -Dsonar.projectKey=<project-key-from-sonarcloud>
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

This workflow file does two additional things: it sets up the .NET environment, and it builds and tests the code before running the analysis. Once you push any code changes to your repository, the workflow will automatically run, and you can view the results of the analysis on the SonarCloud website.

Final Words

One of the benefits of using GitHub Actions and SonarCloud together is that you can easily customize your pipeline to fit your specific needs. For example, if you are working on a .NET project, you can add additional steps to your workflow file to set up the .NET environment and build and test your code before running the analysis.

Overall, integrating GitHub Actions and SonarCloud can help improve the quality of your code and make your development process more efficient. By automating static code analysis, you can save time and effort, and focus on delivering high-quality software to your users.

Did you find this article valuable?

Support Nicklas Møller Jepsen by becoming a sponsor. Any amount is appreciated!