SonarQube Pull Request Scanner + Community

On the previous article we installed a SonarQube community server on ubuntu and using SQL server. Now We are going to expand our learnings and create the whole process of code quality assurance with SonarQube. We are making a CI/CD workflow so that all new codes need to be scanned and measured by SonarQube. this way if the code does not meet the required quality it is blocked at the pull request and can not be merged to our base.

You can achieve above in different git platforms like Azure Devops, Jenkins , Team City and … at this article we are covering GitHub. Also the process is the more and less the same on SonarQube commercial versions, you only need to skip the installing community branch plugin because this feature comes out of the box in commercial versions

Install plugin to enable SonarQube Community branch and pull request scanning

We are going to use sonarqube-community-branch-plugin to get the feature that we need to be able to scan a pull request and block it does not pass our quality gates.

you find releases here. In case you are using other version of SonarQube than the 8.9 (current LTS) you need to go there and find the correct version for your installation

At the previous post I showed you how to install sonarQube on a Ubuntu. I imagine you have a similar setup AKA your sonarQube is installed on /opt/sonarqube/ . If not please fill free to update the commands.

Lest copy the plugin jar file to our installation at /opt/sonarqube/extensions/plugins/sonarqube-community-branch-plugin.jar (our case we downloaded version 1.8.1 )

sudo wget -O  /opt/sonarqube/extensions/plugins/sonarqube-community-branch-plugin.jar  https://github.com/mc1arke/sonarqube-community-branch-plugin/releases/download/1.8.1/sonarqube-community-branch-plugin-1.8.1.jar

Now that we have the plugin in place we need to edit the config/sonar.properties file too. Let open the file in nano editor.

 sudo nano /opt/sonarqube/conf/sonar.properties

We need to update 2 places in this file sonar.web.javaAdditionalOpts and sonar.ce.javaAdditionalOpts. when in nano editor press Ctrl+w to quietly find these each of these mentioned. They are commented like below

#-------------------------------------------------------------------------------------------->
# WEB SERVER
# Web server is executed in a dedicated Java process. By default heap size is 512MB.
# Use the following property to customize JVM options.
#    Recommendations:
#
#    The HotSpot Server VM is recommended. The property -server should be added if server mode
#    is not enabled by default on your environment:
#    http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html
#
#    Startup can be long if entropy source is short of entropy. Adding
#    -Djava.security.egd=file:/dev/./urandom is an option to resolve the problem.
#    See https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source
#
#sonar.web.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError

# Same as previous property, but allows to not repeat all other settings like -Xmx
#sonar.web.javaAdditionalOpts=

Please uncomment them and set them (last line of example above) as below:

sonar.web.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin.jar=web

And also (a few section below)

sonar.ce.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin.jar=ce

Exit with Ctrl+x and then y to save your changes.

Now your Sonarqube community is very similar to commercial version of sonarqube!

Lets restart our sonarQube so changes make effects (we give our services name sonar att previous article you might have another name)

 sudo systemctl stop sonar &&  sudo systemctl start sonar

Give it some time until sonarqube is started (you are going to see SonarQube is starting message for a few minutes)

Login and you should see the dialog of Installation of plugins . Click on I underrated the risk and the plugin should be up and running.

SonarQube GitHub Setting

Create a github app

Ok know that you solved the problem with branch scanning of sonarQube Community, we can go ahead and make sure that we have pull request status check at plase on github.

So when we are done it is going to work like this :

You make a pull request on Github > A workflow being triggered on github to build , run tests and run gather information for sonarQube and send it to sonarQube > SonarQube evaluates data and based on quality gates results Pass or Fail back to github > If you get Fail status Github blocks your pull request.

To Integration works fully you need to make a (so called) Github App. It is not really an app though, it is just a setting that lets an external application communicate with github. Please make a github app according to instructions here and comeback!

Your app should have these permissions:

  • Read access to code, commit statuses, metadata, and repository projects
  • Read and write access to checks and pull requests

Integrate your sonarQube with github

Now that you have the app in place lets make github integration:

login to your sonarQube instance with admin user head to Administration , select ALM Integrations and then GitHub. then click button [Create configuration]

SonarQube integrations with github

Most of information needed you find on your github app.Your setting should be something like this :

Create a configuration

Note : Make sure you open https port on your server so your server can communicate with https://api.github.com

If things goes good you should see something like this :

sonarQube is integrated with github successfully
sonarQube is integrated with github successfully

In your SonarQube, from the menu go to your Projects and click Add Project button. You get a github alternative

Create a new project via GitHub integrations in SonarQube

Click on that and all your projects from github should be listed. Select a project and click on setup selected repository.

Nest tesp is How do you want to analyze your repository? Click on With Github

select With GitHub actions

fallow instructions at this step on github in 2 steps

GitHub settings instructions

As result you should have 2 secrets (SONAR_TOKEN ,SONAR_HOST_URL ) and a workflow (.github/workflows/build.yml) . The secrets are used in your workflow

Make sure your default repository name on line 5 of your workflow is correct (master / main)

On your github repo head to tab Actions and you see your workflow is running

GitHub Actions

Let it finish you know when the orang dot becomes green (If it becomes read you need to manually inspect your workflow)

As soon as workflow finished your sonarqube is going to be updated and look like this :

Successfully Created the project and scanned the code

It tells you about the code smells , security hotspots and duplications.

Head to Projects settings and Pull Request Decoration Tab.

pull request decoration for GitHub project

You should see the github integration we created earlier and repo name correctly.

Pull Request Scan and Block based on Status

There is a good chance that sonarqube community does not send the status to pull request on github. This is because the github action workflow you created does not send enough information to sonarQube server for pull request analysis. (This is not the case for commercial version of sonarQube) Github actions sends sha1 for origin merge, which is different of sha1 of branch. Natan Deitch suggested a workaround here . it basically says to pass the sonar.scm.revision like this for linux runner along side pull request information

-Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}

or this for windows runner

/d:sonar.scm.revision=${{ github.event.pull_request.head.sha }}

So incase of dotnet scanner my I added some arguments to my dotnet-sonarscanner line like this: (make sure your default branch is master or change it to main if you copy paste it)

 .\.sonar\scanner\dotnet-sonarscanner begin /k:"_____MY_PROJECT_KEY_____"   /d:sonar.login="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="${{ secrets.SONAR_HOST_URL }}"  /d:sonar.pullrequest.key=${{ github.event.number }}  /d:sonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} /d:sonar.pullrequest.base=master  /d:sonar.scm.revision=${{ github.event.pull_request.head.sha }}

Create a branch , make some changes (I did in my readme) and wait until your your build workflow is done. After a few moments sonarQube should post in your pull request conversation tab and Checks tab.

SonarQube post on pull request conversation
SonarQube post on pull request conversation

Also in your sonarQube portal you should see the pull requests

SonarQube portal Branches and Pull Requests
SonarQube portal Branches and Pull Requests

Now it is a good Idea to create a branch protection role for both workflow to be successfully run (“Build” by default) and SonarQube status (“[PROJECT_NAME] SonarQube Results“) This status for commercial version of SonarQube is SonarQube quality gate

GitHub branch protection rule

It is very strongly recommended to check Require a pull request before merging also, this way all new code will be evaluated before it is merged to your code base.

Now that you did a great job securing your code you can pickups some badges and from sonarQube portal and add it to your readme file on your github. You find them by clicking on Project information and selecting Get project badges.

SonarQube badges
Sonarqube project badges

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.