SonarQube Action

Check the Quality Gate of your code with SonarQube to ensure your code meets your own quality standards before you release or deploy new features.
SonarQube is the leading product for Continuous Code Quality & Code Security. It supports most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and many more.
Requirements
A previous step must have run an analysis on your code.
Read more information on how to analyze your code here﻿
Usage
The workflow YAML file will usually look something like this:
YAML
on:
  # Trigger analysis when pushing in master or pull requests, and when creating
  # a pull request. 
  push:
    branches:
      - master
  pull_request:
      types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
  sonarqube:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting.
        fetch-depth: 0

    # Triggering SonarQube analysis as results of it are required by Quality Gate check.
    - name: SonarQube Scan
      uses: opsverseio/sonarqube-quality-gate-[email protected]
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        # Sets the metadata (quality gate status) of a project as the output. Check https://sonarcloud.io/web_api/api/qualitygates/project_status?deprecated=false&section=response for more details on the metadata that SonarQube server returns.
        SET_SONAR_PROJECT_STATUS: true 

    # Check the Quality Gate status.
    - name: SonarQube Quality Gate check
      id: sonarqube-quality-gate-check
      uses: opsverseio/sonarqube-quality-gate-[email protected]
      # Force to fail step after specific time.
      timeout-minutes: 5
      env:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL
       SET_SONAR_PROJECT_STATUS: true 

    # Optionally you can use the output from the Quality Gate in another step.
    # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`.
    - name: "Example show SonarQube Quality Gate Status value"
      run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}"
on:
  # Trigger analysis when pushing in master or pull requests, and when creating
  # a pull request. 
  push:
    branches:
      - master
  pull_request:
      types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
  sonarqube:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting.
        fetch-depth: 0

    # Triggering SonarQube analysis as results of it are required by Quality Gate check.
    - name: SonarQube Scan
      uses: opsverseio/sonarqube-quality-gate-action@0.1.0
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        # Sets the metadata (quality gate status) of a project as the output. Check https://sonarcloud.io/web_api/api/qualitygates/project_status?deprecated=false&section=response for more details on the metadata that SonarQube server returns.
        SET_SONAR_PROJECT_STATUS: true 

    # Check the Quality Gate status.
    - name: SonarQube Quality Gate check
      id: sonarqube-quality-gate-check
      uses: opsverseio/sonarqube-quality-gate-action@0.1.0
      # Force to fail step after specific time.
      timeout-minutes: 5
      env:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} #OPTIONAL
       SET_SONAR_PROJECT_STATUS: true 

    # Optionally you can use the output from the Quality Gate in another step.
    # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN` or `FAILED`.
    - name: "Example show SonarQube Quality Gate Status value"
      run: echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}"
﻿
Make sure to set up timeout-minutesproperty in your step, to avoid wasting action minutes per month (see above example).
When using this action with sonarsource/sonarqube-scan action or with C/C++ code analysis you don't have to provide scanMetadataReportFileinput, otherwise you should alter the location of it.
Typically, report metadata file for different scanners can vary and can be located in:
target/sonar/report-task.txt
build/sonar/report-task.txt
.sonarqube/out/.sonar/report-task.txt
Example usage:
﻿
YAML
- name: SonarQube Quality Gate check
  uses: opsverseio/sonarqube-quality-gate-[email protected]
  with:
    scanMetadataReportFile: target/sonar/report-task.txt
- name: SonarQube Quality Gate check
  uses: opsverseio/sonarqube-quality-gate-action@0.1.0
  with:
    scanMetadataReportFile: target/sonar/report-task.txt
﻿
Environment variables
SONAR_TOKEN – Required this is the token used to authenticate access to SonarQube. You can read more about security tokens here. You can set the SONAR_TOKEN environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
SONAR_HOST_URL – Optional this tells the scanner where SonarQube is hosted, otherwise it will get the one from the scan report. You can set the SONAR_HOST_URL environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
SONAR_ROOT_CERT – Holds an additional root certificate (in PEM format) that is used to validate the SonarQube server certificate. You can set the SONAR_ROOT_CERT environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
SET_SONAR_PROJECT_STATUS - Sets the metadata (quality gate status) of a project as the output. Check https://sonarcloud.io/web_api/api/qualitygates/project_status?deprecated=false&section=response for more details on the metadata that SonarQube server returns.
﻿
Did this page help you?
CI/CD with GitHub Actions
OPA Policy Check Action