Skip to content

SonarQube analysis #236

SonarQube analysis

SonarQube analysis #236

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow helps you trigger a SonarQube analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
# (this feature is available starting from SonarQube 9.7, Developer Edition and above)
# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub)
# 2. Import your project on SonarQube
# * Add your repository as a new project by clicking "Create project" from your homepage.
#
# 3. Select GitHub Actions as your CI and follow the tutorial
# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN
# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator)
#
# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL
#
# * c. Copy/paste the project Key into the args parameter below
# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage)
# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/)
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10)
name: SonarQube analysis
on:
push:
branches:
- develop
pull_request:
branches:
- develop
types: [opened, synchronize, reopened]
workflow_dispatch:
permissions:
pull-requests: read # allows SonarQube to decorate PRs with analysis results
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: npm install and test
run: |
npm install
npm run test
- name: Analyze with SonarQube
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
# Additional arguments for the sonarcloud scanner
args:
-Dsonar.projectKey=cap-js-sdm
-Dsonar.sources=lib
-Dsonar.exclusions=**/node_modules/**
-Dsonar.js.file.suffixes=.js
-Dsonar.qualitygate.wait=true
-Dsonar.exclusions=/dist/,/node_modules/,**/*.spec.js,**/*.test.js
-Dsonar.verbose=false # This should generally be set to `false` in a production environment to not clutter logs. Use `true` for debugging.
# If you wish to fail your job when the Quality Gate is red, uncomment the
# following lines. This would typically be used to fail a deployment.
# We do not recommend to use this in a pull request. Prefer using pull request
# decoration instead.
- uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}