Skip to content
SonarQube analysis

Update sonarqube.yml #26

Sign in to view logs

Update sonarqube.yml

Update sonarqube.yml #26

Workflow file for this run

.github/workflows/sonarqube.yml at 6da3ea2
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow triggers a SonarQube analysis of your code and populates
# GitHub Code Scanning alerts with vulnerabilities found.
# (Available starting from SonarQube 9.7, Developer Edition and above)
# Prerequisites:
# 1. Add a valid GitHub configuration in SonarQube (Administration > DevOps platforms > GitHub).
# 2. Import your project into SonarQube by creating a new project from your repository.
# 3. Set up secrets in your GitHub repository:
# - SONAR_TOKEN: Generate a token in SonarQube (My Account > Security) and add it to GitHub secrets.
# - SONAR_HOST_URL: Add your SonarQube host URL (e.g., https://sonarcloud.io) to GitHub secrets.
name: SonarQube analysis
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
workflow_dispatch:
permissions:
pull-requests: read # Allows SonarQube to decorate PRs with analysis results
jobs:
Analyze:
runs-on: ubuntu-latest
strategy:
matrix:
tool: [bandit, ruff, mypy]
steps:
- name: Checkout code
uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
- name: Set up Python
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
with:
python-version: '3.13'
- name: Cache pip dependencies
uses: actions/cache@e991338e5258e38b11407e17300c4f218beff3f8
with:
path: /usr/local/lib/python3.13/site-packages
key: pip-${{ hashFiles('pyproject.toml') }}
restore-keys: |
pip-
- name: Install project dependencies
run: |
pip install -e .[dev] # Assumes dev dependencies (e.g., Bandit, Ruff, Mypy) are in [dev] extras
- name: Install analysis tools
run: |
pip install bandit ruff mypy
- name: Run Bandit
if: matrix.tool == 'bandit'
run: bandit -r . -o bandit_report.json --format json --exclude tests,.git
- name: Run Ruff
if: matrix.tool == 'ruff'
run: ruff check . --output-format json --output-file ruff_report.json --exclude tests,.git
- name: Run Mypy
if: matrix.tool == 'mypy'
run: mypy . --output=json --output-file mypy_report.json
- name: Upload report artifact
uses: actions/upload-artifact@5076952e8b3fbcaaacbf7d9c6376b5c0719038f8
with:
name: ${{ matrix.tool }}-report
path: ${{ matrix.tool }}_report.json
SonarQube:
needs: Analyze
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
- name: Download analysis reports
uses: actions/download-artifact@e9b2e897dilf532e1d0f7ea2dbee0f23fb39bb8
with:
path: reports
- name: Move reports to working directory
run: |
mv reports/bandit-report/bandit_report.json .
mv reports/ruff-report/ruff_report.json .
mv reports/mypy-report/mypy_report.json .
- name: Check if reports exist
run: |
for report in bandit_report.json ruff_report.json mypy_report.json; do
if [ ! -f "$report" ]; then
echo "$report not found. Exiting."
exit 1
fi
done
- name: Analyze with SonarQube
uses: SonarSource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # Pinned by Renovate
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Your SonarQube token from secrets
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # Your SonarQube host URL from secrets
with:
args: >
-Dsonar.projectKey=DavidOsipov_PostQuantum-Feldman-VSS
-Dsonar.organization=davidosipov
-Dsonar.python.bandit.reportPaths=bandit_report.json
-Dsonar.python.ruff.reportPaths=ruff_report.json
-Dsonar.python.mypy.reportPaths=mypy_report.json
-Dsonar.python.version=3.10, 3.11, 3.12, 3.13
-Dsonar.languages=python