GitHub Actions and SonarCloud

Maarten Smeets

GitHub Actions allow you to do most CI/CD tasks for free, directly from your GitHub repository. One of the challenges however is that there is no build-in facility like for example SonarQube to manage code quality. Luckily, SonarSource provides SonarCloud; a SonarQube SaaS offering which is free for public projects! It is also easy to feed SonarCloud from GitHub Actions. In this blog post I’ll describe how you can do this.

GitHub repository

I used the following GitHub repository with some Java code to generate code quality information. In order to do that I had the following entries in my pom.xml file;

SonarCloud configuration

In order to feed data to SonarCloud, some configuration needs to be done on the SonarCloud and GitHub side. First login to SonarCloud using your GitHub account.

Next you have to authorize SonarCloud:

You can now add a GitHub organization you are using to SonarCloud by clicking + next to your account.

I chose my personal organisation. SonarCloud will be installed as a GitHub App for that organization.

You can grant SonarCloud access to your repository

In SonarCloud you can now create an organisation

And analyse a new project

When you click Set Up, SonarCloud suggests doing analysis with GitHub Actions (which is of course fine by me).

In your GitHub repository, you need to create a token so GitHub can access SonarCloud:

GitHub Actions

Conveniently, SonarCloud provides an instruction on what you need to do in order to allow the GitHub Actions to feed SonarCloud. These include updating your pom.xml file to specify the target for the SonarSource plugin and creating a workflow or adding some actions specific to the analysis. Specific are the shallow clone option, the SonarCloud artifact cache and of course the build and analyse step.

In the example workflow given by SonarCloud, the build is triggered on every commit. I changed this to do it manually. You can browse my workflow definition here.

After the results have been fed to SonarCloud, you can browse them there;


There are of course some limitations on usage for the free GitHub and SonarCloud accounts. Next to that however, SonarCloud does not allow 3rd party plugins. It is a SaaS offering and allowing 3rd party plugins would cause an additional burden on managing the environment and in addition possible licensing issues. For some code quality aspects however, using 3rd party plugins is currently the only option. Examples of these are the OWASP Dependency-Check and OWASP ZAP. Processing output of those tests is currently not supported in SonarCloud. You can however feed it with SpotBugs (the spiritual successor of FindBugs), PMD and code coverage data. To work around the 3rd party plugin limitation, you could possibly convert the Dependency-Check and ZAP data and merge it with the SpotBugs/PMD output and feed that to SonarQube. I haven’t tried that yet however.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Next Post

SonarCloud: OWASP Dependency-Check reports

SonarCloud is a hosted SonarQube SaaS solution which helps you with code quality management. It is free to use for open source projects. You cannot install 3rd party plugins in SonarCloud however. This puts some limitations on the kind of data you can put in SonarCloud. For Java this is […]
%d bloggers like this: