GitHub Actions and SonarCloud sonarcloud github actions

GitHub Actions and SonarCloud

GitHub Actions allow you to do most CI/CD tasks for free, directly from your GitHub repository. One of the challenges however is that there is no build-in facility like for example SonarQube to manage code quality. Luckily, SonarSource provides SonarCloud; a SonarQube SaaS offering which is free for public projects! It is also easy to feed SonarCloud from GitHub Actions. In this blog post I’ll describe how you can do this.

GitHub repository

I used the following GitHub repository with some Java code to generate code quality information. In order to do that I had the following entries in my pom.xml file;

GitHub Actions and SonarCloud pom

SonarCloud configuration

In order to feed data to SonarCloud, some configuration needs to be done on the SonarCloud and GitHub side. First login to SonarCloud using your GitHub account.

GitHub Actions and SonarCloud sonarcloud

Next you have to authorize SonarCloud:

GitHub Actions and SonarCloud authorize

You can now add a GitHub organization you are using to SonarCloud by clicking + next to your account.

GitHub Actions and SonarCloud create organization

I chose my personal organisation. SonarCloud will be installed as a GitHub App for that organization.

GitHub Actions and SonarCloud select organization

You can grant SonarCloud access to your repository

GitHub Actions and SonarCloud install sonarcloud

In SonarCloud you can now create an organisation

GitHub Actions and SonarCloud createorg

And analyse a new project

GitHub Actions and SonarCloud analyse new project
GitHub Actions and SonarCloud add public project

When you click Set Up, SonarCloud suggests doing analysis with GitHub Actions (which is of course fine by me).

GitHub Actions and SonarCloud setup with github actions

In your GitHub repository, you need to create a token so GitHub can access SonarCloud:

GitHub Actions and SonarCloud create github token

GitHub Actions

Conveniently, SonarCloud provides an instruction on what you need to do in order to allow the GitHub Actions to feed SonarCloud. These include updating your pom.xml file to specify the target for the SonarSource plugin and creating a workflow or adding some actions specific to the analysis. Specific are the shallow clone option, the SonarCloud artifact cache and of course the build and analyse step.

GitHub Actions and SonarCloud pom and githubactions

In the example workflow given by SonarCloud, the build is triggered on every commit. I changed this to do it manually. You can browse my workflow definition here.

GitHub Actions and SonarCloud execute github workflow
GitHub Actions and SonarCloud execute workflow 2

After the results have been fed to SonarCloud, you can browse them there;

GitHub Actions and SonarCloud sonarcloud issues


There are of course some limitations on usage for the free GitHub and SonarCloud accounts. Next to that however, SonarCloud does not allow 3rd party plugins. It is a SaaS offering and allowing 3rd party plugins would cause an additional burden on managing the environment and in addition possible licensing issues. For some code quality aspects however, using 3rd party plugins is currently the only option. Examples of these are the OWASP Dependency-Check and OWASP ZAP. Processing output of those tests is currently not supported in SonarCloud. You can however feed it with SpotBugs (the spiritual successor of FindBugs), PMD and code coverage data. To work around the 3rd party plugin limitation, you could possibly convert the Dependency-Check and ZAP data and merge it with the SpotBugs/PMD output and feed that to SonarQube. I haven’t tried that yet however.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.