CloudBees action: Scan with SonarQube

3 minute read

If you are already running a centralized SonarQube instance, use this action to scan a Git repository with the SonarQube static analysis scanner. The data collected from the scans is available in your SonarQube reports, and the results are also displayed in the CloudBees platform analytics dashboards. You can also use the action output as a quality gate for the next step or job in your workflow.

If you do not have SonarQube already installed, use the Scan with SonarQube bundled action instead.
All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name Data type Required? Description

url

String

Yes

The SonarQube server URL.

cmakeList-path

String

No

The CMakeFileList.txt file path for scanning C-family code languages. For more information, refer to the CMake documentation.

password

String

No

The SonarQube password.

ref

String

No

The branch name to be scanned.

token

String

No

The SonarQube access token.

username

String

No

The SonarQube username.

workspace-dir

String

No

The file path of the code to be scanned.

Outputs

Table 2. Output details
Output name Data type Description

critical-count

String

The number of Critical security findings discovered during the scan.

very-high-count

String

The number of Very high security findings discovered during the scan.

high-count

String

The number of High security findings discovered during the scan.

medium-count

String

The number of Medium security findings discovered during the scan.

low-count

String

The number of Low security findings discovered during the scan.

Usage examples

Basic example

The following is a basic example for using the action:

- name: Scan with SonarQube uses: cloudbees-io/sonarqube-plugin@v1 with: server-url: https://my-sonarqube-server-url

Scan C-family code languages

In the following example, the cmakeList-path input is specified for a C-family code language scan:

- name: Scan C-family code with SonarQube uses: cloudbees-io/sonarqube-plugin@v1 with: server-url: ${{ vars.SONARQUBE_SERVER_URL }} cmakeList-path: https://path/to/my/CMakeFileList.txt

Using the action output

Access the output values in downstream steps and jobs using the outputs context.

Use the output in your workflow as follows, where <action_step_ID> is the action step ID, and <severity> is an output parameter name, such as critical-count:

${{steps.<action_step_ID>.outputs.<severity>}}

The following example uses the action output in a downstream step of the same job:

name: my-workflow kind: workflow apiVersion: automation.cloudbees.io/v1alpha1 on: push: branches: - main permissions: scm-token-own: read scm-token-org: read id-token: write jobs: sonarqube-scan-job: steps: - name: check out source code uses: cloudbees-io/checkout@v1 - id: sonarqube-step name: sonarqube scan uses: cloudbees-io/sonarqube-plugin@v1 with: server-url: https://my-sonarqube-server-url - name: source dir examine uses: docker://golang:1.20.3-alpine3.17 shell: sh run: | ls -latR /cloudbees/workspace - id: print-outputs-from-sonarqube-step name: print outputs from upstream sonarqube step uses: docker://alpine:latest run: | #printing all outputs echo "Outputs from upstream sonarqube step:" echo "Critical count: ${{steps.sonarqube-step.outputs.critical-count}}" echo "Very high count: ${{steps.sonarqube-step.outputs.very-high-count}}" echo "High count: ${{steps.sonarqube-step.outputs.high-count}}" echo "Medium count: ${{steps.sonarqube-step.outputs.medium-count}}" echo "Low count: ${{steps.sonarqube-step.outputs.low-count}}"

The following example uses the action output in a downstream job:

name: my-workflow kind: workflow apiVersion: automation.cloudbees.io/v1alpha1 on: push: branches: - main permissions: scm-token-own: read scm-token-org: read id-token: write jobs: job1: outputs: sonarqube-job-output-critical: ${{ steps.sonarqube-step.outputs.critical-count }} sonarqube-job-output-very-high: ${{ steps.sonarqube-step.outputs.very-high-count }} sonarqube-job-output-high: ${{ steps.sonarqube-step.outputs.high-count }} sonarqube-job-output-medium: ${{ steps.sonarqube-step.outputs.medium-count }} sonarqube-job-output-low: ${{ steps.sonarqube-step.outputs.low-count }} steps: - name: check out source code uses: cloudbees-io/checkout@v1 with: repository: my-gh-repo-org/my-repo ref: main token: ${{ secrets.GIT_PAT }} - id: sonarqube-step name: sonarqube scan uses: cloudbees-io/sonarqube-plugin@v1 with: server-url: https://my-sonarqube-server-url job2: needs: job1 steps: - id: print-outputs-from-job1 name: print outputs from upstream job1 uses: docker://alpine:latest run: | # Printing all outputs echo "Outputs from upstream sonarqube job:" echo "Critical count: ${{ needs.job1.outputs.sonarqube-job-output-critical }}" echo "Very high count: ${{ needs.job1.outputs.sonarqube-job-output-very-high }}" echo "High count: ${{ needs.job1.outputs.sonarqube-job-output-high }}" echo "Medium count: ${{ needs.job1.outputs.sonarqube-job-output-medium }}" echo "Low count: ${{ needs.job1.outputs.sonarqube-job-output-low }}"