diff --git a/README.md b/README.md index 99428e9..7a40440 100644 --- a/README.md +++ b/README.md @@ -1,131 +1,150 @@ -# Analyze your code for free with SonarCloud +# Scan your code with SonarQube Cloud [![QA](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarcloud-github-action/actions/workflows/qa.yml) -This SonarSource project, available as a GitHub Action, scans your projects with SonarCloud, and helps developers produce -[Clean Code](https://www.sonarsource.com/solutions/clean-code/?utm_medium=referral&utm_source=github&utm_campaign=clean-code&utm_content=sonarqube-scan-action). +> [!WARNING] +> This action is deprecated and will be removed in a future release. +> Please use the `sonarqube-scan-action` action instead. +> The `sonarqube-scan-action` is a drop-in replacement for this action. - +This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/). -[SonarCloud](https://www.sonarsource.com/products/sonarcloud/) is a widely used static analysis solution for continuous code quality and security inspection. -It helps developers identify and fix issues in their code that could lead to bugs, vulnerabilities, or decreased development velocity. -SonarCloud supports the most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). +![Logo](./images/SQ_Logo_Cloud_Dark_Backgrounds.png#gh-dark-mode-only) +![Logo](./images/SQ_Logo_Cloud_Light_Backgrounds.png#gh-light-mode-only) + +SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection. + +It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). + +The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability. ## Requirements -* Create your account on SonarCloud. Sign up for free now if it's not already the case! [SonarCloud Sign up](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) -* The repository to analyze is set up on SonarCloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. +* Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case! +* The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. ## Usage Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory: ```properties -sonar.organization= -sonar.projectKey= +sonar.organization= +sonar.projectKey= # relative paths to source directories. More details and properties are described -# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/ +# at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/ sonar.sources=. ``` -The workflow, usually declared in `.github/workflows/build.yml`, looks like: +The workflow, usually declared under `.github/workflows`, looks like: ```yaml on: - # Trigger analysis when pushing in master or pull requests, and when creating - # a pull request. + # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: + - main - master + - develop + - 'releases/**' pull_request: types: [opened, synchronize, reopened] + name: Main Workflow jobs: - sonarcloud: + sonarqube: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: - # Disabling shallow clone is recommended for improving relevancy of reporting + # Disabling shallow clones is recommended for improving the relevancy of reporting fetch-depth: 0 - - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan + - name: SonarQube Scan + uses: sonarsource/sonarcloud-github-action@ # Ex: v4.0.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} ``` +## Action parameters + You can change the analysis base directory by using the optional input `projectBaseDir` like this: ```yaml -uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan -with: - projectBaseDir: my-custom-directory +- uses: sonarsource/sonarcloud-github-action@ + with: + projectBaseDir: app/src +``` + +In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option: + +```yaml +- uses: sonarsource/sonarcloud-github-action@ + with: + scannerVersion: 6.2.0.4584 ``` -In case you need to add additional analysis parameters, you can use the `args` option: +In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option: ```yaml -- name: Analyze with SonarCloud - uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan +- uses: sonarsource/sonarcloud-github-action@ with: - projectBaseDir: my-custom-directory + projectBaseDir: app/src args: > -Dsonar.organization=my-organization -Dsonar.projectKey=my-projectkey -Dsonar.python.coverage.reportPaths=coverage.xml -Dsonar.sources=lib/ - -Dsonar.test.exclusions=tests/** -Dsonar.tests=tests/ + -Dsonar.test.exclusions=tests/** -Dsonar.verbose=true ``` -More information about possible analysis parameters is found in the documentation at: -https://docs.sonarcloud.io/advanced-setup/analysis-parameters - -In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option: +You can also specify the URL where to retrieve the SonarScanner CLI from. +The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`. +This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet: ```yaml -uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan -with: - scannerVersion: 6.2.0.4584 +- uses: sonarsource/sonarcloud-github-action@ + with: + scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/ ``` -See also example configurations at: -https://github.com/sonarsource/sonarcloud-github-action-samples/ +More information about possible analysis parameters can be found in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation. -### Secrets +### Environment variables -- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarCloud. You can generate a token on your [Security page in SonarCloud](https://sonarcloud.io/account/security/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository. +- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the [documentation](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). - *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).* +- `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of a secured proxy to SonarQube Cloud. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). -## Error cleaning up workspace +Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore: -In some cases, the checkout action may fail to clean up the workspace. This is a known problem for GitHub actions implemented as a docker container (such as `sonarcloud-github-actions`) when self-hosted runners are used. -Example of the error message: `File was unable to be removed Error: EACCES: permission denied, unlink '/actions-runner/_work//project/.scannerwork/.sonar_lock'` -To work around the problem, `sonarcloud-github-action` attempts to fix the permission of the temporary files that it creates. If that doesn't work, you can manually clean up the workspace by running the following action: -``` -- name: Clean the workspace - uses: docker://alpine - with: - args: /bin/sh -c "find \"${GITHUB_WORKSPACE}\" -mindepth 1 ! -name . -prune -exec rm -rf {} +" +```yaml +- uses: sonarsource/sonarcloud-github-action@ + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} ``` -You can find more info [here](https://github.com/actions/runner/issues/434). -## Example of pull request analysis +If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this: - +```yaml +- uses: sonarsource/sonarcloud-github-action@ + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + LC_ALL: "ru_RU.UTF-8" +``` -Want to see more examples of SonarCloud in action? You can [explore current Open Source projects in SonarCloud](https://sonarcloud.io/explore/projects?sort=-analysis_date?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) that are using the Clean as You Code methodology. +## Alternatives for Java, .NET, and C/C++ projects -## Do not use this GitHub action if you are in the following situations +This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives: -* Your code is built with Maven: run 'org.sonarsource.scanner.maven:sonar' during the build -* Your code is built with Gradle: use the SonarQube plugin for Gradle during the build -* You want to analyze a .NET solution: Follow our interactive tutorial for GitHub Actions after importing your project directly into SonarCloud -* You want to analyze C and C++ code: rely on our [SonarCloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) and look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=) +* Your code is built with Maven. Read the documentation about our [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/). +* Your code is built with Gradle. Read the documentation about our [SonarScanner for Gradle](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/). +* You want to analyze a .NET solution. Read the documentation about our [SonarScanner for .NET](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/). +* You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to the [SonarQube Cloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) GitHub Action - look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=). ## Have questions or feedback? -To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/) with the tag `sonarcloud`. +To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sc/9/github-actions). ## License diff --git a/action.yml b/action.yml index 9573796..f4d07e9 100644 --- a/action.yml +++ b/action.yml @@ -1,4 +1,4 @@ -name: SonarCloud Scan +name: SonarQube Cloud Scan description: > Scan your code with SonarQube Cloud to detect coding issues in 30+ languages, frameworks, and IaC platforms. diff --git a/images/SQ_Logo_Cloud_Dark_Backgrounds.png b/images/SQ_Logo_Cloud_Dark_Backgrounds.png new file mode 100644 index 0000000..9e9a1f4 Binary files /dev/null and b/images/SQ_Logo_Cloud_Dark_Backgrounds.png differ diff --git a/images/SQ_Logo_Cloud_Light_Backgrounds.png b/images/SQ_Logo_Cloud_Light_Backgrounds.png new file mode 100644 index 0000000..4a7f25e Binary files /dev/null and b/images/SQ_Logo_Cloud_Light_Backgrounds.png differ diff --git a/images/SonarCloud-72px.png b/images/SonarCloud-72px.png deleted file mode 100644 index 98ce8c1..0000000 Binary files a/images/SonarCloud-72px.png and /dev/null differ diff --git a/images/SonarCloud-analysis-in-Checks.png b/images/SonarCloud-analysis-in-Checks.png deleted file mode 100644 index 2f025a4..0000000 Binary files a/images/SonarCloud-analysis-in-Checks.png and /dev/null differ