💸Save up to $132K/month in CI costs!👉 Try Free
Skip to main content
← Back to workflows

How to Use and Configure SonarCloud GitHub Action

SonarSource/sonarcloud-github-action -
GitHub Action
v2.2.0
590
Contributors
Contributor - antoine-vinot-sonarsourceContributor - nawar-hamo-sonarsourceContributor - cody-simms-sonarsource
Categories

Optimize Your CI/CD Pipeline

Get instant insights into your CI/CD performance and costs. Reduce build times by up to 45% and save on infrastructure costs.

45% Faster Builds
60% Cost Reduction
Usage
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarcloud:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@<action version> # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

sonarcloud-github-action logo

sonarcloud-github-action

Integrate SonarCloud code analysis to GitHub Actions


This document provides information to set up SonarCloud GitHub Action with configured code analysis for our CI/CD pipelines. This helps to maintain code quality through automated static code analysis.

By using SonarCloud with GitHub Actions, we will be able to automatically check our code for quality or security issues, significantly improving our codebase's health.

SonarCloud allows the detection of bugs, code smells, and security vulnerabilities before merging, ensuring high-quality code.

How to Change the Analysis Base Directory?

  1. Setting Project Base Directory:

    • You can change the analysis base directory by using the optional input projectBaseDir.
    uses: sonarsource/sonarcloud-github-action@<action version> # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan
    with:
    projectBaseDir: my-custom-directory

This is useful when your project is not located at the root of the repository.

How to Add Additional Analysis Parameters?

  1. Using Additional Analysis Parameters:

    • If you need to add extra parameters for the analysis, you can use the args option.
    - name: Analyze with SonarCloud
    uses: sonarsource/sonarcloud-github-action@<action version> # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan
    with:
    projectBaseDir: my-custom-directory
    args: >
    -Dsonar.organization=my-organization
    -Dsonar.projectKey=my-projectkey
    -Dsonar.python.coverage.reportPaths=coverage.xml
    -Dsonar.sources=lib/
    -Dsonar.test.exclusions=tests/**
    -Dsonar.tests=tests/
    -Dsonar.verbose=true

This allows fine-tuning the analysis parameters to match the project’s requirements.

How to Set Secrets for SonarCloud Action?

  1. Setting Up Secrets:
    • SONAR_TOKEN: This is required to authenticate access to SonarCloud. Generate a token on your SonarCloud Security page and set it in the "Secrets" settings page of your repository.
    • GITHUB_TOKEN: This is provided by GitHub for authentication. Refer to GitHub's documentation on how to use it.

Properly managing secrets ensures secure and authenticated access to SonarCloud.

How to Clean the Workspace Manually?

  1. Manual Workspace Cleanup:

    • If the workspace is not cleaned up upon checkout, use the following step to clean it up manually.
    - name: Clean the workspace
    uses: docker://alpine
    with:
    args: /bin/sh -c "find \"${GITHUB_WORKSPACE}\" -mindepth 1 ! -name . -prune -exec rm -rf {} +"

This helps resolve permission issues that may occur with self-hosted runners.

How to Perform Pull Request Analysis?

  1. Pull Request Analysis Example:

    • To analyze a pull request with SonarCloud, configure the action as shown in the example. This ensures each PR is checked for quality before merging.
    name: Analyze Pull Request

    on:
    pull_request:
    branches:
    - main

    jobs:
    sonarcloud:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
    uses: actions/checkout@v2
    - name: Analyze with SonarCloud
    uses: sonarsource/sonarcloud-github-[email protected]
    with:
    projectBaseDir: my-custom-directory
    args: >
    -Dsonar.organization=my-organization
    -Dsonar.projectKey=my-projectkey
    -Dsonar.python.coverage.reportPaths=coverage.xml
    -Dsonar.sources=lib/
    -Dsonar.test.exclusions=tests/**
    -Dsonar.tests=tests/
    -Dsonar.verbose=true

This setup ensures every pull request is analyzed, helping to catch issues early in the development process.