Enhance SonarQube workflow with additional analysis tools and improved report handling

DavidOsipov · DavidOsipov · commit 814667b6fd30 · 2025-03-25T14:02:01.000+04:00
Signed-off-by: DavidOsipov &lt;personal@david-osipov.vision&gt;
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -1,4 +1,4 @@
-name: Analyze and SonarQube Scan
+name: 🛡️ Bastion Quality Gates
 
 on:
   push:
@@ -8,41 +8,67 @@ on:
   workflow_dispatch:
 
 permissions:
-  pull-requests: read # Allows SonarQube to decorate PRs with analysis results
+  pull-requests: read
+  security-events: write
 
 jobs:
   Analyze:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        tool: [bandit, ruff, mypy]
+        tool: [bandit, ruff, mypy, flake8, pylint, codeql, snyk]
     steps:
       - name: Checkout code
         uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
 
       - name: Set up Python
+        if: matrix.tool != 'codeql' && matrix.tool != 'snyk'
         uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
         with:
           python-version: '3.13'
 
       - name: Cache pip dependencies
+        if: matrix.tool != 'codeql' && matrix.tool != 'snyk'
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
-          path: /usr/local/lib/python3.12/site-packages
+          path: /usr/local/lib/python3.13/site-packages
           key: pip-${{ hashFiles('pyproject.toml') }}
           restore-keys: |
             pip-
 
       - name: Install project dependencies
+        if: matrix.tool != 'codeql' && matrix.tool != 'snyk'
         run: |
           pip install .
           pip install .[dev]
 
       - name: Install analysis tools
+        if: matrix.tool != 'codeql' && matrix.tool != 'snyk'
         run: |
-          pip install bandit ruff mypy
-          ruff --version  # For debugging
-          mypy --version  # For debugging
+          pip install bandit ruff mypy flake8 pylint
+          bandit --version
+          ruff --version
+          mypy --version
+          flake8 --version
+          pylint --version
+
+      - name: Set up Node.js for Snyk
+        if: matrix.tool == 'snyk'
+        uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+
+      - name: Setup Snyk CLI
+        if: matrix.tool == 'snyk'
+        uses: snyk/actions/setup@cdb760004ba9ea4d525f2e043745dfe85bb9077e
+        with:
+          snyk-version: latest
+
+      - name: Run Snyk Security Scan
+        if: matrix.tool == 'snyk'
+        run: snyk test --all-projects --sarif-file-output=snyk_report.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_SECRET_TOKEN }}
 
       - name: Run Bandit
         if: matrix.tool == 'bandit'
@@ -54,7 +80,27 @@ jobs:
 
       - name: Run Mypy
         if: matrix.tool == 'mypy'
-        run: mypy . 2>&1 | tee mypy_report.txt || true  # Capture output to file and console, continue on error
+        run: mypy . 2>&1 | tee mypy_report.txt || true
+
+      - name: Run Flake8
+        if: matrix.tool == 'flake8'
+        run: flake8 . --output-file flake8_report.txt --format=pylint || true
+
+      - name: Run Pylint
+        if: matrix.tool == 'pylint'
+        run: pylint --recursive=y . --output-format=json > pylint_report.json || true
+
+      - name: Initialize CodeQL
+        if: matrix.tool == 'codeql'
+        uses: github/codeql-action/init@main
+        with:
+          languages: python
+
+      - name: Perform CodeQL Analysis
+        if: matrix.tool == 'codeql'
+        uses: github/codeql-action/analyze@main
+        with:
+          output: codeql_report.sarif
 
       - name: Upload report artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
@@ -69,7 +115,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
         with:
-          fetch-depth: 0  # Fetch full Git history for SonarQube
+          fetch-depth: 0
 
       - name: Download analysis reports
         uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e
@@ -81,10 +127,14 @@ jobs:
           mv reports/bandit-report/bandit_report.json .
           mv reports/ruff-report/ruff_report.json .
           mv reports/mypy-report/mypy_report.txt .
+          mv reports/flake8-report/flake8_report.txt .
+          mv reports/pylint-report/pylint_report.json .
+          mv reports/codeql-report/codeql_report.sarif .
+          mv reports/snyk-report/snyk_report.sarif .
 
       - name: Check if reports exist
         run: |
-          for report in bandit_report.json ruff_report.json mypy_report.txt; do
+          for report in bandit_report.json ruff_report.json mypy_report.txt flake8_report.txt pylint_report.json codeql_report.sarif snyk_report.sarif; do
             if [ ! -f "$report" ]; then
               echo "$report not found. Exiting."
               exit 1
@@ -104,5 +154,8 @@ jobs:
             -Dsonar.python.bandit.reportPaths=bandit_report.json
             -Dsonar.python.ruff.reportPaths=ruff_report.json
             -Dsonar.python.mypy.reportPaths=mypy_report.txt
+            -Dsonar.python.flake8.reportPaths=flake8_report.txt
+            -Dsonar.python.pylint.reportPaths=pylint_report.json
+            -Dsonar.sarifReportPaths=codeql_report.sarif,snyk_report.sarif
             -Dsonar.python.version=3.10-3.13
             -Dsonar.languages=python
