| If you already are running a centralized SonarQube, use the Scan with SonarQube action instead. |
If you do not have a centralized SonarQube already installed, use this action to scan a Git repository with the SonarQube static application security testing (SAST) scanner, which detects security flaws and provides suggested code fixes. SonarQube scan results are displayed in CloudBees platform analytics dashboards, but not in SonarQube reports, as the SonarQube instance is headless/ephemeral.
For code coverage information, you have to use a third-party coverage tool, as SonarQube itself does not calculate coverage. Configure the SonarQube bundled action to import coverage results by either specifying a coverage file or running a unit test.
| All CloudBees action repositories are listed at CloudBees, Inc. on GitHub. |
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
No |
SonarQube Exclusion pattern to exclude matching files. |
|
String |
No |
SonarQube Inclusion pattern to include matching files. |
|
String |
No |
The file path of the third-party code coverage tool results. |
|
String |
Yes |
The language of your Git repository code base. Refer to Supported languages with inputs. |
|
String |
No |
Log level can be |
|
integer |
No |
The maximum number of critical severity security findings if exceeded the build will fail. For example, when the threshold value is set to 2, the build fails if the number of critical severity security findings exceeds 2. |
|
integer |
No |
The maximum number of very high severity security findings if exceeded the build will fail. For example, when the threshold value is set to 2, the build fails if the number of very high severity security findings exceeds 2. |
|
integer |
No |
The maximum number of high severity security findings if exceeded the build will fail. For example, when the threshold value is set to 2, the build fails if the number of high severity security findings exceeds 2. |
|
integer |
No |
The maximum number of medium severity security findings if exceeded the build will fail. For example, when the threshold value is set to 2, the build fails if the number of medium severity security findings exceeds 2. |
|
integer |
No |
The maximum number of low severity security findings if exceeded the build will fail. For example, when the threshold value is set to 2, the build fails if the number of low severity security findings exceeds 2. |
Outputs
| Output name | Data type | Description |
|---|---|---|
|
String |
A string containing the number of critical security findings discovered during the scan. |
|
String |
A string containing the number of very high security findings discovered during the scan. |
|
String |
A string containing the number of high security findings discovered during the scan. |
|
String |
A string containing the number of medium security findings discovered during the scan. |
|
String |
A string containing the number of low security findings discovered during the scan. |
Supported languages with inputs
| Supported language | Input format |
|---|---|
Go |
|
Java |
|
JavaScript |
|
Dot NET (.NET) |
|
PHP |
|
Python |
|
Ruby |
|
Usage example
In your YAML file, add:
- name: Scan with SonarQube bundled uses: cloudbees-io/sonarqube-bundled-sast-scan-code@v1 with: sonar-exclusion: sonar/* cover-file-name: ./coverage.xml language: LANGUAGE_PYTHON
In the following example, the threshold values for critical, very high, high, medium, and low severity security findings are set to 0. Therefore, the build breaks if at least one critical, very high, high, medium, or low severity security finding is identified.
- name: Scan with SonarQube bundled uses: cloudbees-io/sonarqube-bundled-sast-scan-code@v2 with: sonar-exclusion: sonar/* cover-file-name: ./coverage.xml language: LANGUAGE_PYTHON threshold-critical: 0 threshold-very-high: 0 threshold-high: 0 threshold-medium: 0 threshold-low: 0
Using outputs from SonarQube
As an example, the following workflow prints the count in subsequent steps and jobs (for each severity) for the security findings discovered during the SonarQube scan triggered from the action:
jobs: Your-SonarQube-Job: outputs: your-sonarqube-job-output-critical: ${{ steps.your-sonarqube-step.outputs.critical-count }} your-sonarqube-job-output-very-high: ${{ steps.your-sonarqube-step.outputs.very-high-count }} your-sonarqube-job-output-high: ${{ steps.your-sonarqube-step.outputs.high-count }} your-sonarqube-job-output-medium: ${{ steps.your-sonarqube-step.outputs.medium-count }} your-sonarqube-job-output-low: ${{ steps.your-sonarqube-step.outputs.low-count }} steps: - id: your-sonarqube-step name: Run step with SonarQube Bundled action uses: cloudbees-io/sonarqube-bundled-sast-scan-code@v2 with: language: LANGUAGE_PYTHON - id: print-outputs-from-your-sonarqube-step name: Print outputs from upstream SonarQube step uses: docker://alpine:latest run: | #printing all outputs echo "Outputs from upstream SonarQube step:" echo "Critical Count: ${{steps.your-sonarqube-step.outputs.critical-count}}" echo "Very High Count: ${{steps.your-sonarqube-step.outputs.very-high-count}}" echo "High Count: ${{steps.your-sonarqube-step.outputs.high-count}}" echo "Medium Count: ${{steps.your-sonarqube-step.outputs.medium-count}}" echo "Low Count: ${{steps.your-sonarqube-step.outputs.low-count}}" Print-Outputs-From-Your-SonarQube-Job: needs: [Your-SonarQube-Job] steps: - id: print-outputs-from-your-sonarqube-job name: Print outputs from upstream SonarQube job uses: docker://alpine:latest run: | #printing all outputs echo "Outputs from upstream SonarQube job:" echo "Critical Count: ${{needs.Your-SonarQube-Job.outputs.your-sonarqube-job-output-critical}}" echo "Very High Count: ${{needs.Your-SonarQube-Job.outputs.your-sonarqube-job-output-very-high}}" echo "High Count: ${{needs.Your-SonarQube-Job.outputs.your-sonarqube-job-output-high}}" echo "Medium Count: ${{needs.Your-SonarQube-Job.outputs.your-sonarqube-job-output-medium}}" echo "Low Count: ${{needs.Your-SonarQube-Job.outputs.your-sonarqube-job-output-low}}"