Analyze Your Repository With GitHub Actions for SonarCloud

To configure analysis of your project using GitHub Actions you should follow the in-product tutorial. Under the Configure tab of your project homepage in SonarCloud, simply click on With GitHub Actions. You can also access the tutorials by going to Administration > Analysis Method.

The tutorial will walk you through the precise steps to set up the analysis but the basic steps are these:

  1. Define the SONAR_TOKEN environment variable in your repository by setting up a GitHub Secret. The SONAR_TOKEN identifies and authenticates you to SonarCloud. The tutorial will provide the precise value for your specific account.
  2. Set the essential analysis parameters, sonar.projectKeysonar.organization, and sonar.host.url. The tutorial will be populated with the correct values for your specific account. These parameters are set differently depending on your project type:
    • In the pom.xml for Java Maven projects.
    • In the build.gradle file for Java Gradle projects.
    • In the SonarScanner command line for .NET projects.
    • In the sonar-project.properties file for other types of projects. You can also add additional analysis parameters to further specify your analysis details (See Analysis Parameters).
  3. Create the .github/workflows/build.yml file that defines the steps of your build. In addition to the usual steps that build your project, you need to invoke the SonarScanner to perform the analysis of your code. This is done differently depending on your project type:
    • A Maven plugin for Java Maven projects.
    • A Gradle plugin for Java Gradle projects.
    • A dedicated .NET scanner for .NET projects.
    • The SonarCloud GitHub Action for other projects. The tutorial will provide the specific details for your project type.

      The example below shows how you could set up a yml file for a single project:

GitHub Actions .yml file

name: My Test Single Project
on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Analyzing Monorepo Projects: Build Configuration

The example below shows how you could set up a yml file for multiple projects in a monorepo. If you want to analyze a monorepo that contains more than one project, you need to ensure that you specify the paths to each project for analysis in your build file.

GitHub Actions .yml file

name: My Test Monorepo Project
on:
  push:
      branches:
      - main
      paths:
      - 'lambdas/test/**'
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  sonarcloudScan1:
    name: SonarCloudScan1
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          projectBaseDir: repo1/
          
  sonarcloudScan2:
    name: SonarCloudScan2
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          projectBaseDir: repo2/


© 2008-2022, SonarCloud by SonarSource SA. All rights reserved.