Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
check-circle

GitHub Action

Sonarless Code Scan

v0 Pre-release

Sonarless Code Scan

check-circle

Sonarless Code Scan

SonarQube Scan GitHub Action without a dedicated hosted SonarQube Server

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Sonarless Code Scan

              
  uses: gitricko/sonarless@v0
Learn more about this action in gitricko/sonarless

Choose a version

Test

Sonarless v0

This action and its developer friendly helper scripts enable sonarqube scanning for your repository without a need of a dedicated hosted sonarqube server. It boots up a sonarqube docker instance and enable developers to scan checkout code and give a metric json so that you can check the quality of the code.

Usage

- uses: gitricko/sonarless@v0
  with:
    # Folder path to scan from git-root
    # Default: . 
    sonar-source-path: ''

    # Path to SonarQube metrics json from git-root
    # Default: ./sonar-metrics.json 
    sonar-metrics-path: ''

    # SonarQube Project Name
    # Default: ${{ github.event.repository.name }}
    sonar-project-name: ''

    # SonarQube Project Key
    # Default: ${{ github.event.repository.name }}
    sonar-project-key: ''

Scenarios

Sonar scan all files from git root directory

jobs:
  Sonarless-Scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Sonarless Scan
        uses: gitricko/sonarless@v0

Scan particular folder from git root directory

jobs:
  Sonarless-Scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Sonarless Scan
        uses: gitricko/sonarless@v0
        with:
          sonar-source-path: 'src'

Scan code and fail build if metrics is below expectation

jobs:
  Sonarless-Scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Sonarless Scan
        uses: gitricko/sonarless@v0
        with:
          sonar-source-path: 'src'
          sonar-metrics-path: './sonar-mymetrics.json'

      - name: Check Sonar Metrics - No Vulnerabilities
        run: |
          echo "Checking for any vulnerabilities in Sonar Metrics JSON"
          VULN=$(cat ./sonar-mymetrics.json | jq -r '.component.measures[] | select(.metric == "vulnerabilities").value')
          echo "# of vulnerabilities = ${VULN}"
          [ ${VULN} -eq "0" ]

Use Sonarless in your Local Dev

Just copy 3 files from this repository. Makefile and makefile.sh in to your git-root.

To start scanning your code, just run make sonar-scan. When the scan is done, just login webui into your local personal instance of sonarqube via http://localhost:9000 to get your results and where you can improve your code. The default password for admin is sonar

If you want to get the metrics file, run make sonar-results and sonar-metrics.json will be generated in your git-root

Use make docker-clean to clean up your sonar instance

This small scriptlet works perfectly with Github CodeSpace

Coffee

If you find this small helper script and action helpful, buy me a sip of coffee here to show your appreciation (only if you want to)