How to Integrate SonarQube with GitHub Actions | Automate Code Scan using SonarQube in GitHub Action

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back in this video we are going to learn how to integrate sonar cube with GitHub actions we talked about GitHub actions in our previous video we understood that GitHub actions has lot of CD capability isn't it using GitHub actions we can automate our CSD workflow so we don't have to uh especially if you're working for a company you know they are using GitHub as a source code management Tool uh you can simply use GitHub actions in order to implement your CD ability you don't have to go for any third party CSD tool this video we're going to talk about how we can integrate sonar cube with GitHub actions in order to automate our code quality scan let's look at the reference architecture here so if you see here I do have a Java project configured in uh GitHub so this is my Java project it's a very simple Java web application nothing fancy about it and then we are going to integrate with sonar Cube so I have already configur sonar cube in AWS Cloud so this is my Sonar Cube I already logged in I logged in as administrator uh so sonar Cube can be running anywhere isn't it as long as it is available for GitHub actions on the internet so you should be totally fine you can host it in on promis you can host it in you know AWS Cloud Azure Cloud Google Cloud it doesn't matter all right and then we are going to uh create a CD workflow using GitHub actions and we are going to check out out code from GitHub we are going to build using uh build the war file using MAV and then we are going to uh integrate with sonar Cube to perform code quality scan and if you wanted to learn more about uh how to set up onar Cube and all uh you you know feel free to click on this particular link I have configured sonar Cube using Docker compose so it's a pretty straightforward so feel free to refer My article great so we do have all the prerequisite uh you know met so let's get started right right so how are we going to achieve that so I have captured all the implementation steps over here so the way we are going to do that is yes we need to create a token in sonar Cube so that using the token GitHub can authenticate with sonar Cube and then once the once the token is created we need to uh you know add as a secret in GitHub actions and then we will also add sonar Cube URL as secret as well in the GitHub actions and then uh we are going to create a GitHub actions workflow am file and then we are going to customize the workflow by adding couple of task one for uh you know MAV and build and then another one is for uh sonar scan okay and then we are going to run the workflow and then finally we are going to verify our scan report in sonar Cube so it's pretty straightforward it's not complicated at all all we have to do is you know create a token and then add the token in uh GitHub actions and then as a secret and then you know create a workflow customize a workflow and then and then run it boom you're done all right right so let's get started guys again I also captured those steps for here as well so let's get started with creating a token so let me go here uh so I logged in as administrator that is very important we need to create a token so go to sonar Cube Administration tab security so let's create a token you can give any name for the token it doesn't matter so Global analysis token uh so I'm okay with the 30 days expiration click on generate so there you go so that is our token so after that what we have to do is register uh the token as a secret okay so let me go back to the step here so you can see here we need to go to our repo and settings so let me go into repo so this is the repo and go to settings go to secrets and variable and click on actions and this is where we have to uh register that information so if you're wondering how do I come to know right so if you're wondering how do I come to know about it right so let me show you a small link here so so I think we talked about uh Marketplace GitHub marketplace right earlier GitHub actions Marketplace so if you wanted to integrate any uh third party tool so you can come here and then you can just simply search here right so if you just uh search on our Cube uh in github.com Marketplace so you can see here right so if you click on this particular action and then they thems provided uh you know the sample workflow AML file isn't it and then if you see here so these uh you know these variables are really important okay so sonar token and then son not host token right okay and then this is the kind of action how it is going to be like that right something like that all right okay so we need to have these uh you know variable uh you know captured similarly I also have a documentation from sonar website so if you see here uh they talked about you know how you can analyze using GitHub action so they also they mention that you know we need to have these tokens okay perfect so let's go ahead and create them um so I'm going to go ahead and then click on repository secret so let me see so it has to be sonar token that is a secret name and then let's go ahead and then add that value which we just created here copy that perfect and then let's also go ahead and then add sonar host URL so this is actually nothing but uh the sonar Cube uh URL so new repository secret okay so let's add this let's add our URL here perfect we don't have to give anything after port number 9,000 add secret perfect so we have added these two Secrets I think that is actually good the next step would be you know the next step would be to go ahead and then create a CSD workflow AML file great so let me go back to the repo and like I said this is a very simple Java application and I also have pom.xml already created all this uh you know uh pom.xml says is you know build the war file that's all nothing fancy about it so let's get started right uh let's go ahead and click on ADD file create a new file so as we all know that we need to create that uh workflow AML file so it has to be in this format right so GitHub uh folder and then slash workflows folder slash uh we have to give any name so I'm going to give something like Sona scan. AML file okay great and then like I said uh you know how to get uh documentation either you can go to uh sonar Q website okay you can also get that uh documentation and then customize customize the workflow uh this is slightly complicated in my opinion uh but I'm going to go and you know refer what is there out in the marketplace okay all right but I have already customized everything over here you can see here right I have already customized everything so if you are seeing here so basically what we are going to do is yes we are going to check out the code uh and then we are going to uh install jdk on that Runner so this is the um GitHub hosted Runner and then we are going to perform Maven build okay and then we are going to uh perform sonar scan okay so let let me copy the entire workflow Amal file all right perfect so if you see here uh so this is like this workflow would be triggered Whenever there is a git uh push into the repository so that's what this is right so we talked about giup actions in our previous video GitHub actions is completely uh even driven isn't it and then I also added this particular line item here as well so this is nothing but just to invoke uh the workflow manually okay and then this is the uh GI hosted Runner so this is to check out the code install jdk on the runner and then this is mainly for building a Java project using Maven and then this is actually for performing on our scan uh so couple of items are really important here uh it is important that you need to declare the project key over here if you don't declare the project key uh it is going to fail okay and then these are our secrets what we have already captured under settings so that is that is so that is pretty much over there okay it's a very simple uh workflow Aral file and then click on Commit changes commit changes so as soon as you commit the code uh just like we saw uh because of there is a push right so this will go ahead and and then you know trigger the action so let's go to the actions tab there you go you all can see right so the build is already queued started uh running now so let me click on this one and you can also click on this just to see the console output checking out the code installing jdk on the runner now it has started the Maven build perfect now it has started sonar scan as well loading the rules everything awesome so looks like this is done now let's log into sonar Cube go to the project tab boom wow see here guys so 30 7 seconds ago we were able to run the scan WOW six bucks that is bit scary so click on six bucks you all see here guys so it kind of shows all the Bucks here let me just click on a bug here uh I know what this is all about uh let me see if we can fix some of the bugs in the code real quick of course this is the responsibility of uh developer but let's let's quickly fix it and then see uh whether we are able to you know see the difference or not okay so this says that title tag is missing okay let's all the doc type okay okay we need to add a language and then title okay perfect let me see if I can fix few more defects title tag I think that should uh take care of it let me go ahead and then commit changes okay so as soon as I make a code change this should go ahead and then run the bill let's see so scan is done so let me go back to sonar Q go to projects wow see here guys now we don't see any more box so yeah so that's it guys you know that's how you can integrate sonar cube with the GitHub actions uh that's how you know you can perform code quality scan thank you for watching this video

Info

Channel: DevOps Coach

Views: 1,774

Rating: undefined out of 5

Keywords: SonarQube and GitHub Actions integration, Perform code scan using SonarQube in GitHub Actions

Id: AYl3A3ac7bg

Channel Id: undefined

Length: 13min 8sec (788 seconds)

Published: Fri Feb 16 2024