\n Using SonarCloud with Github Actions and Maven\n
\n\n \n \n 
\n Jan Stamer\n \n \n twitter logo\n\n github logo\n\n Mar 7\n \xe3\x83\xbb4 min read\n \xc2\xa0\n
\n
\n \n
In this post you will will learn how to analyse your Java Maven project with SonarCloud using Github Actions.
\n\nStarting point is a simple Java project with a Maven build. First we\'ll use \xe5\xb0\x8f\xe5\x8f\xb7onarCloud to analyze our source code from our local dev environment. Then we\'ll use Github Actions to run the Maven build. So finally we have a fully functional ci pipeline which builds and analyzes our code using Github Actions.
\n\n\n \n \n Set up SonarCloud\n
\n\n\n \n \n Step 1: Create a Project\n
\n\nIn order to use SonarCloud you need to create an account and set up a project. So first create an account and log in. Now you can create a new project here or using the \'+\' button. A project in SonarCloud must belong to an organization. SonarCloud automatically imports your Github organizations. So you can use any of your Github organizations or use the default organization by your Github user name.
\n\n
\xe5\x88\x9b\xe5\xbb\xba\xe9\xa1\xb9\xe7\x9b\xae\xe5\x90\x8e\xef\xbc\x8c\xe6\x82\xa8\xe7\x9a\x84\xe9\xa1\xb9\xe7\x9b\xae\xe5\x85\xb7\xe6\x9c\x89\xe7\xbb\x84\xe7\xbb\x87\xe5\xaf\x86\xe9\x92\xa5\xe5\x92\x8c\xe9\xa1\xb9\xe7\x9b\xae\xe5\xaf\x86\xe9\x92\xa5\xe3\x80\x82 \xe6\x82\xa8\xe9\x9c\x80\xe8\xa6\x81\xe5\x90\x8c\xe6\x97\xb6\xe8\xbf\x90\xe8\xa1\x8cSonarCloud\xe5\x88\x86\xe6\x9e\x90\xe3\x80\x82 \xe6\x82\xa8\xe5\x8f\xaf\xe4\xbb\xa5\xe9\x9a\x8f\xe6\x97\xb6\xe4\xbb\x8e\xe4\xbf\xa1\xe6\x81\xaf\xe4\xb8\xad\xe5\xbf\x83\xe6\x9f\xa5\xe6\x89\xbe\xe7\xbb\x84\xe7\xbb\x87\xe5\xaf\x86\xe9\x92\xa5\xe5\x92\x8c\xe9\xa1\xb9\xe7\x9b\xae\xe5\xaf\x86\xe9\x92\xa5
\nof your project like shown below.
\n \n \n Step 2: Generate a SonarCloud Token\n
\n\nNow we\'ll set up a secure token as authentication for SonarCloud. Generate a new token from the tab \'security\' in your account settings (which is here). Make sure to store the token since you\'ll only see it right after you\'ve greated it. Now you\'re all set up to run a first analysis.
\n\n
\n \n \n Run SonarCloud analysis locally using Maven\n
\n\nYou can run the SonarCloud analysis using maven. The organization key, project key and the generated token must be passed to the Sonar Maven Plugin as well as the url for SonarCloud. Replace
\n
mvn sonar:sonar \\\n -Dsonar.projectKey=baralga \\\n -Dsonar.organization=baralga \\\n -Dsonar.host.url=https://sonarcloud.io \\\n -Dsonar.login=\n After you ran the analysis the results will shortly be online in the SonarCloud dashboard at https://sonarcloud.io/dashboard?id=. The dashboard for our sample project baralga is available at https://sonarcloud.io/dashboard?id=baralga.
\n \n \n Run SonarCloud analysis using Github Actions\n
\n\nNow we will use Github Actions to run the SonarCloud analysis from our ci pipeline. We\'ll use Maven for that like we did before. We set up Github Action that runs the SonarClound analysis using Maven. Like before we pass organization key and project key as parameters. Additionally we need to provide the SonarCloud token and the Github Token.
\n\nThe token for SonarCloud is stored as a encrypted secret as described here. We can access it in our Github Action with ${ { secrets.SONAR_\xc5\xa4OKEN }}. The Github \xc5\xa4oken is already provided by Github Actions itself and we can access it with ${ { secrets.GI\xc5\xa4HUB_TOKEN }}.
\xe8\xbf\x99\xe6\x98\xaf\xe5\xae\x8c\xe6\x95\xb4\xe7\x9a\x84Github Action\xe5\xb7\xa5\xe4\xbd\x9c\xe6\xb5\x81\xe7\xa8\x8b\xe3\x80\x82 \xe5\xb0\x86\xe5\x85\xb6\xe4\xbf\x9d\xe5\xad\x98\xe5\x9c\xa8\xe6\x96\x87\xe4\xbb\xb6\xe4\xb8\xad.github\\workflows\\sonar.yml and off you go.
\n
name: SonarCloud\non:\n push:\n branches:\n - master\njobs:\n build:\n runs-on: ubuntu-16.04\n steps:\n - uses: actions/checkout@v1\n - name: Set up JDK\n uses: actions/setup-java@v1\n with:\n java-version: \'11\'\n - name: Analyze with SonarCloud\n run: ./mvnw -B verify sonar:sonar -Dsonar.projectKey=baralga -Dsonar.organization=baralga -Dsonar.host.url=https://sonarcloud.io -Dsonar.login=$SONAR_TOKEN\n env:\n GITHUB_TOKEN: ${
{ secrets.GITHUB_TOKEN }}\n SONAR_TOKEN: ${
{ secrets.SONAR_TOKEN }}\nNow every build of your Github Actions pipeline analyzes the code using SonarCloud. That looks like below or see it live in action in the Baralga Actions.
\n\n
\n \n \n Topping it off with Code Coverage\n
\n\n\xe6\x9c\x80\xe5\x90\x8e\xe4\xb8\x80\xe6\xad\xa5\xef\xbc\x8c\xe6\x88\x91\xe4\xbb\xac\xe5\xb0\x86\xe5\x8d\x95\xe5\x85\x83\xe6\xb5\x8b\xe8\xaf\x95\xe7\x9a\x84\xe4\xbb\xa3\xe7\xa0\x81\xe8\xa6\x86\xe7\x9b\x96\xe8\x8c\x83\xe5\x9b\xb4\xe6\xb7\xbb\xe5\x8a\xa0\xe5\x88\xb0SonarCloud\xe3\x80\x82
\n\n \n \n Step 1: Calculate Test Coverage with Jacoco\n
\n\nWe use Jacoco to calculate the code coverage of our tests. For that we add the jacoco-maven-plugin to our pom.xml:
\n
\xe6\x88\x91\xe4\xbb\xac\xe5\x91\x8a\xe8\xaf\x89SonarCloud\xe4\xbd\xbf\xe7\x94\xa8\xe5\x8f\x82\xe6\x95\xb0\xe5\x9c\xa8\xe5\x93\xaa\xe9\x87\x8c\xe5\x8f\xaf\xe4\xbb\xa5\xe6\x89\xbe\xe5\x88\xb0\xe8\xae\xa1\xe7\xae\x97\xe5\x87\xba\xe7\x9a\x84\xe4\xbb\xa3\xe7\xa0\x81\xe8\xa6\x86\xe7\x9b\x96\xe7\x8e\x87-Dsonar.coverage.jacoco.xmlReportPaths=${project.build.directory}/site/jacoco/jacoco.xml for our Maven build. After the next build the code coverage will show up in SonarCloud.
\n \n \n Summary\n
\n\nStep by step we introduced SonarCloud to analyze our code within our ci pipeline using Github Actions. Whenever the ci pipeline runs, the code is analyzed using SonarCloud and the results and metrics are available
\nin the SonarCloud dashboard. You can find a working example at baralga.
\n 
\n \n Baralga\n / \n baralga\n \n
\n
\n Baralga open-source time tracker for the desktop.\n
\n
\n \n
Jan Stamer
\nI\'m a passionate Coder and Software Architect, runner \xf0\x9f\x8f\x83 and dad of 3 \xf0\x9f\x91\xaa.
\n \n\n Are newer developers pushed too exclusively towards web development?\n
\n
\n Ben Halpern\n \n \n
\n \n I get the impression that web development is the overwhelming path of choice for bootcamps, etc. But...\n \n
\n
\n
Git internal architecture \xf0\x9f\x8f\x9b
\n\n Anuj Bansal - Apr 19\n
\n
\n
Inside a dev\'s mind: How do you plan a UI feature?
\n\n Johannes Kettmann - Apr 19\n
\n
\n
Conditional rendering in React - using the ternary operator
\n\n Silvia Bogdan - Apr 19\n
\n
\n
Sorry for the Interruption but I\'m Lost
\n\n Aashir Aamir Khan - Apr 20\n
\n
\n
\n
Thanks for the article.
\n\n\n\n \n \n \n \n\nDid you try breaking the build in case of missed quality gates?
Breaking the build is not possible using the regular sonar maven plugin. Yet you can use the the sonar-break-maven-plugin for that purpose. For Jenkins there is an official way to break the build as described in Breaking the SonarQube Analysis with Jenkins Pipelines.
\n\n\n\n
\n \n sgoertzen\n / \n sonar-break-maven-plugin\n \n
\n\n Fail your maven build if sonar detects issues with the code\n
\n