Unlocking Code Quality with SonarQube and GitHub Actions
Matias Busco
At Cyber for the last 10y with expertise in automations, specializing in cloud-native environments. Active in security assessments, ethical hacking, and DevSecOps. I enjoy continuous growth and sharing insights!
It should only take you 10' to read this article ??
Greetings LinkedIn Developers! In this article, we'll explore the integration of SonarQube with GitHub Actions for a streamlined code quality assessment. We'll cover the installation of SonarQube Community, establishing a seamless connection with a test GitHub repository and implementing automated scans through GitHub Actions self-hosted runners. This step-by-step guide aims to empower developers to introduce efficient code quality management within their existing workflows.
Quick intro...
What is SonarQube?
SonarQube is a premier static code analysis tool. It meticulously examines code for bugs and security issues, aiding in comprehensive code quality & security assessments. As a key player in the realm of DevOps, it facilitates streamlined integration with GitHub Actions.
What are Github Actions?
GitHub Actions is an automation platform from GitHub that allows developers to define workflows for their software projects. It give you the chance to automate tasks such as building, testing, and deploying code directly from your GitHub repositories. With GitHub Actions, you can create custom workflows using pre-defined or custom actions, streamlining your development process and enhancing collaboration among team members.
What are Github Actions self-hosted runners?
GitHub Actions self-hosted runners are instances of GitHub Actions runners that you set up and manage in your own environment. These runners allow you to run workflows on your own infrastructure, providing flexibility and control over the execution environment. Whether on cloud servers, on-premises hardware, or even your local machine, self-hosted runners enable you to tailor the execution environment to your specific needs, enhancing the capabilities of GitHub Actions for your projects.
Setup...
How to run SonarQube locally:
Despite there are a few ways to run it, for the sake of this article I'm gonna showcase how to run it from a local docker container. If you want to follow this steps you should have Docker installed in your computer. For more information please refer to this article.
docker run -it --rm -p 9000:9000 sonarqube:10.3.0-community
And as simple as that we have our SonarQube Community instance running and on https://localhost:9000 where you would be able to login with admin:admin credentials.
Let's also use a self-hosted Github Actions runner locally
From your Github repository go to Settings -> Actions -> Runners and add one with the commands they provide. Have in mind that the runner should be able to reach the SonarQube instance so it can be able to populate the results.
If you need help with this setup, please read this article.
For this test I've forked the repository DefectDojo/django-DefectDojo at which I've added the runner in a Chromebook.
(Optional) Grant SonarQube permissions for PR decoration
If you have a paid SonarQube Developer edition license, now that we have most of the things running we should only let the instance to be able to comment on our Pull requests, so we can have the decoration if something was found at the scan.
More info on how to set up the Github app in this article.
Add repository as a SonarQube Project
Once the app is installed we are ready to onboard some of our Github repositories, in this case we are going to add the django-DefectDojo project I've forked.
After adding the project, SonarQube would ask us how would we want to set up the analysis and for the purpose of this demo we are going to show up the Github Actions integration.
领英推荐
So here comes the part where SonarQube suggest us to add both SONAR_TOKEN and SONAR_HOST_URL as repository secrets, which we should always do instead of hardcoding them to follow proper secret management practices.
But after that, there is an example action workflow that for this demo we are going to avoid. Therefore the action I made is the following:
name: SonarQube Scan
on:
pull_request:
types: [opened, synchronize, reopened]
branches:
- master
jobs:
sonarqube-scan:
name: sonarqube-scan
runs-on: self-hosted
permissions: read-all
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- run: |
sonar-scanner \
-Dsonar.sources=. \
-Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
-Dsonar.token=${{ secrets.SONAR_TOKEN }}
You can tell that in this example I'm running sonar-scanner locally, that's because the runner I'm using is a linux machine that already has sonar-scanner installed.
And now what?
Run scans
With all of this we are ready to add some changes to the repo and see our action being triggered as the following image.
Once the action finishes the scan, we can head up to SonarQube platform to see the results.
Due to the security features SonarQube introduces you can also find things that are not code smells or developing bad habits but also potential vulnerabilities such as the following:
How to prevent buggy code from being pushed?
You can also use SonarLint to run the scans directly on your IDE, preventing you to introduce buggy code into the codebases. Let's use VSCode integration for this example but there is support for many others such as JetBrains, Visual Studio or Eclipse.
If we install it from the VSCode plugins tab, then we just need to provide our SonarQube location and a token.
In our case, it's going to be https://localhost:9000 and a user token generated from your user account security panel at the SonarQube's console.
Once the plugin is enabled and configured we can monitor the findings and get Sonar insights right there in the editor.
Conclusions...
This article is just a showcase of the capabilities you can introduce to your developing pipelines with low effort implementations that can save a lot of hours of debugging or even lower risks in your tech stack.
You can find more information at Sonar 's & GitHub 's websites with tons of examples on how to integrate them and much more.
My thought's...
Try to keep security controls as simple as possible for your developers so that they do not perceive you as a hindrance but as an ally.
Thanks for getting this far, I hope you find this article useful and please give me your thought's on the comments.
Have you used any Sonar tool before? Do you have any similar setup? I'd be more than pleased to talk about it or #SDLCSecurity #SonarQube #GithubActions #CyberSecurity and much more...
Thanks!