Code Analysis with SonarCloud and Github Actions
And examples for .NET projects also
In some of my previous posts, I mentioned that I use SonarCloud to do code analysis. By integrating SonarCloud with GitHub Actions, you can easily set up a pipeline that automatically runs a code analysis on every commit, providing real-time feedback on the quality of your code.
To use GitHub Actions and SonarCloud together, you will first need to create a new workflow file in your GitHub repository. This file should be named .github/workflows/sonarcloud.yml
, and it should contain the following code:
name: SonarCloud
on: [push]
jobs:
sonarcloud:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: SonarCloud Analysis
uses: sonarsource/sonarcloud-github-action@v1.8
with:
args: >
-Dsonar.organization=<sonarcloud-organization>
-Dsonar.projectKey=<project-key-from-sonarcloud>
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
In this code, <sonarcloud-organization>
should be replaced with the name of your organization on SonarCloud and <project-key-from-sonarcloud>
should be replaced with the key from SonarCloud. You will also need to create a new secret in your repository settings, called SONAR_TOKEN
, which should contain a token that allows the workflow to authenticate with SonarCloud.
Once you have created the workflow file, you can push any code changes to your repository, and the workflow will automatically run on the latest commit. The results of the analysis will be available on the SonarCloud website, where you can view detailed reports and insights into the quality of your code.
Analyzing .NET projects
To use GitHub Actions to do a SonarCloud analysis of a .NET repository, you will need to use a slightly different workflow file than the one provided in the previous example. This is because the .NET build process is slightly different than the one used for other languages. You need to add this snippet:
- name: Setup .NET Core
uses: actions/setup-dotnet@v1
with:
dotnet-version: 3.1.x
- name: Build and test
run: dotnet build --configuration Release
So that the final file looks like this:
name: SonarCloud
on: [push]
jobs:
sonarcloud:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup .NET Core
uses: actions/setup-dotnet@v1
with:
dotnet-version: 3.1.x
- name: Build and test
run: dotnet build --configuration Release
- name: SonarCloud Analysis
uses: SonarSource/sonarcloud-github-action@v1.8
with:
args: >
-Dsonar.organization=<sonarcloud-organization>
-Dsonar.projectKey=<project-key-from-sonarcloud>
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
This workflow file does two additional things: it sets up the .NET environment, and it builds and tests the code before running the analysis. Once you push any code changes to your repository, the workflow will automatically run, and you can view the results of the analysis on the SonarCloud website.
Final Words
One of the benefits of using GitHub Actions and SonarCloud together is that you can easily customize your pipeline to fit your specific needs. For example, if you are working on a .NET project, you can add additional steps to your workflow file to set up the .NET environment and build and test your code before running the analysis.
Overall, integrating GitHub Actions and SonarCloud can help improve the quality of your code and make your development process more efficient. By automating static code analysis, you can save time and effort, and focus on delivering high-quality software to your users.