Getting Started With GitHub

If your code is on GitHub, go to the SonarCloud product page and choose Set up or Login, then select GitHub from the list of DevOps cloud platforms.

Getting started by using your GitHub login.

You will be taken to the GitHub login page. Sign in using your GitHub credentials.

Welcome to SonarCloud

Once you have successfully logged in, you will see the SonarCloud welcome screen. Select Analyze your first projects > Import an organization from GitHub.

Welcome to SonarCloud using your GitHub login.

Set up your organization

Connect your GitHub organization with SonarCloud

After selecting Analyze new project, you will be presented with a step-by-step tutorial to install the Sonarcloud application on GitHub. This allows SonarCloud to access your GitHub organization or personal account. You can select specific repositories to be connected to SonarCloud or just select all and can always change this setting later.

Create your SonarCloud organization

SonarCloud is set up to mirror the way that code is organized in GitHub (and other repository providers):

  • Each SonarCloud project corresponds one-to-one with a Github project that resides in its own GitHub repository.
  • GitHub projects are grouped into GitHub organizations or personal accounts.
  • Each SonarCloud organization corresponds one-to-one with a GitHub organization or personal account.

SonarCloud will suggest an Actions secret name and key for your SonarCloud organization. This is a name and key is unique across all organizations within SonarCloud. You can accept the suggestion or change it manually. The interface will prevent you from changing it to an already existing key.

Choose a plan

Next, you will be asked to choose a SonarCloud subscription plan. If all the repositories to be analyzed are public on GitHub, you can select the free plan. When using the free plan, your code and analysis results will be publicly accessible at sonarcloud.io/explore/projects.

If you want to analyze one or more private repositories then you need to select a paid plan. All paid plans offer a 14-day free trial period. Once the 14 days have elapsed, the cost is based on the number of lines of code analyzed.

Once you have chosen a plan and selected Create Organization, your SonarCloud organization is created!

Set up your analysis

Import repositories

The next step is to import the projects (that is, individual Git repositories) that you want to analyze from your GitHub organization into your newly created SonarCloud organization. A corresponding, one-to-one SonarCloud project will be created for each imported repository.

SonarCloud will present a list of the repositories in your GitHub organization; choose the projects you want to import and select Set Up to get started.

Select the GitHub repositories that you want to analyze with SonarCloud.

The selected projects will be imported.

Analysis methods

For GitHub repositories, there are two analysis methods available: Automatic analysis and CI-based analysis.

SonarCloud will first check your imported repository to see if it qualifies for automatic analysis. If it does, the analysis will start automatically and the results will appear shortly. Otherwise, proceed with CI-based analysis.

Automatic analysis

SonarCloud can automatically analyze your code simply by reading it from your GitHub repository, without the need to configure a CI-based analysis. After configuring SonarCloud with your GitHub organization, you will see a screen like this:

image description

Once the analysis is done, you should see the page refresh itself with your analysis results if everything runs successfully.

CI-based analysis

If automatic analysis is not recommended for your project, you will need to set up a CI-based analysis. This will be the case, for example, with projects that use Java, C#, C, C++, or Objective-C (as well as others).

In this scenario, scanning and analysis do not occur in SonarCloud itself (as they do with automatic analysis) but rather in your build environment, as part of your build process. This means you have to configure your build process to perform the analysis on each build and communicate the results to SonarCloud.

The first step is to select your build environment. SonarCloud will present this page:

Choose your CI tool to start the setup process.

Select the best CI option from the choices and SonarCloud will guide you through a tutorial on how to set all this up.

Your analysis results

Once it is complete, you can view the results of your first analysis. Please see the pages on GitHub Actions to integrate SonarCloud into your GitHub pipeline.

In addition, SonarCloud displays some result data directly in GitHub when finding security vulnerabilities. See the GitHub Code Scanning Alerts appendices for more details.

© 2008-2022, SonarCloud by SonarSource SA. All rights reserved.