SonarQube Action

check the quality gate of your code with sonarqube https //www sonarqube org/ to ensure your code meets your own quality standards before you release or deploy new features sonarqube is the leading product for continuous code quality & code security it supports most popular programming languages, including java, javascript, typescript, c#, python, c, c++, and many more requirements a previous step must have run an analysis on your code read more information on how to analyze your code here https //docs sonarqube org/latest/analysis/github integration/ usage the workflow yaml file will usually look something like this on \# trigger analysis when pushing in master or pull requests, and when creating \# a pull request push branches \ master pull request types \[opened, synchronize, reopened] name main workflow jobs sonarqube runs on ubuntu latest steps \ uses actions/checkout\@v3 with \# disabling shallow clone is recommended for improving relevancy of reporting fetch depth 0 \# triggering sonarqube analysis as results of it are required by quality gate check \ name sonarqube scan uses opsverseio/sonarqube quality gate action\@0 1 0 env sonar token ${{ secrets sonar token }} sonar host url ${{ secrets sonar host url }} \# sets the metadata (quality gate status) of a project as the output check https //sonarcloud io/web api/api/qualitygates/project status?deprecated=false\&section=response for more details on the metadata that sonarqube server returns set sonar project status true \# check the quality gate status \ name sonarqube quality gate check id sonarqube quality gate check uses opsverseio/sonarqube quality gate action\@0 1 0 \# force to fail step after specific time timeout minutes 5 env sonar token ${{ secrets sonar token }} sonar host url ${{ secrets sonar host url }} #optional set sonar project status true \# optionally you can use the output from the quality gate in another step \# the possible outputs of the `quality gate status` variable are `passed`, `warn` or `failed` \ name "example show sonarqube quality gate status value" run echo "the quality gate status is ${{ steps sonarqube quality gate check outputs quality gate status }}" make sure to set up timeout minutesproperty in your step, to avoid wasting action minutes per month (see above example) when using this action with sonarsource/sonarqube scan https //github com/sonarsource/sonarqube scan action action or with c/c++ code analysis https //docs sonarqube org/latest/analysis/languages/cfamily/ you don't have to provide scanmetadatareportfileinput , otherwise you should alter the location of it typically, report metadata file for different scanners can vary and can be located in target/sonar/report task txt build/sonar/report task txt sonarqube/out/ sonar/report task txt example usage \ name sonarqube quality gate check uses opsverseio/sonarqube quality gate action\@0 1 0 with scanmetadatareportfile target/sonar/report task txt environment variables sonar token – required this is the token used to authenticate access to sonarqube you can read more about security tokens here https //docs sonarqube org/latest/user guide/user token/ you can set the sonar token environment variable in the "secrets" settings page of your repository, or you can add them at the level of your github organization (recommended) sonar host url – optional this tells the scanner where sonarqube is hosted, otherwise it will get the one from the scan report you can set the sonar host url environment variable in the "secrets" settings page of your repository, or you can add them at the level of your github organization (recommended) sonar root cert – holds an additional root certificate (in pem format) that is used to validate the sonarqube server certificate you can set the sonar root cert environment variable in the "secrets" settings page of your repository, or you can add them at the level of your github organization (recommended) set sonar project status sets the metadata (quality gate status) of a project as the output check https //sonarcloud io/web api/api/qualitygates/project status?deprecated=false\&section=response https //sonarcloud io/web api/api/qualitygates/project status?deprecated=false\&section=response for more details on the metadata that sonarqube server returns