Integrating SonarCloud with GitHub Actions for Secure Code Analysis
In the world of software development, writing code is just the beginning. Ensuring that your code is free from vulnerabilities and bugs is equally important. One way to achieve this is through Static Application Security Testing (SAST). In this blog post, we’ll walk you through the process of integrating SonarCloud, a popular SAST tool, with GitHub Actions.
What is SonarCloud?
SonarCloud is a cloud-based platform that helps you analyze and improve your code’s quality and security. It scans your codebase for potential issues, such as security vulnerabilities, code smells, and bugs, and provides actionable feedback to help you make your code better.
What is GitHub Actions?
GitHub Actions is a feature of GitHub that allows you to automate various tasks in your software development workflow. It’s like having a virtual assistant that can perform tasks like building, testing, and deploying your code automatically.
Why Integrate SonarCloud with GitHub Actions?
Integrating SonarCloud with GitHub Actions is a smart move for several reasons:
- Continuous Code Analysis: With SonarCloud integrated into your GitHub Actions workflow, your code is automatically scanned every time you make changes. This means you can catch issues early in the development process.
- Security: SonarCloud checks your code for security vulnerabilities, helping you identify and fix potential risks before they become real problems.
- Code Quality: It also helps maintain code quality by highlighting code smells and other issues that might affect the readability and maintainability of your code.
- Automatic Feedback: You get immediate feedback on your code, making it easier to maintain high-quality standards.
Now, let’s get into the nitty-gritty of how to set up SonarCloud in GitHub Actions.
Setting up SonarCloud in GitHub Actions
Here’s a step-by-step guide:
Step 1: Create a SonarCloud Account
If you don’t have a SonarCloud account, you’ll need to sign up for one. It’s free for open-source projects.
- Access the SonarCloud website.
2. Log in to the SonarCloud using GitHub account username and password.
Congratulations! You’ve created SonarCloud account using your Github Credentials username and password.
Step 2: Create SonarCloud Organizations & Generate a SonarCloud Token
Once you have an account, generate an authentication token from the SonarCloud dashboard. This token will allow GitHub Actions to communicate with SonarCloud securely.
- Click on your profile picture in the top-right corner and select “My Account.”
2. Now, select on “Security” under “Generate Tokens.”
Click the “Generate token” button.
3. Create an Organization for project key and organization name.
Step 3: Add Secrets to GitHub
In your GitHub repository, go to “Settings” > “Secrets” and add a secret named SONAR_TOKEN with the value of the token you generated in Step 2. This keeps your token secure.
Step 4: Create a Workflow
Now, create a GitHub Actions workflow file in this repository-https://github.com/rahuls512/java-reachability-playground (e.g., .github/workflows/sonarqube-scan.yml) in your repository.
name: Run SonarQube with Maven
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'temurin'
cache: maven
- name: Build with Maven cloud
run: mvn -B verify sonar:sonar -Dsonar.projectKey=javareachabilityy -Dsonar.organization=javareachabilityy -Dsonar.host.url=https://sonarcloud.io -Dsonar.login=$SONARCLOUD_TOKEN
env:
GIT_HUB_TOKEN: ${{ secrets.GIT_HUB_TOKEN }}
SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}This workflow triggers a SonarCloud scan whenever changes are pushed to the master branch.
Here’s an explanation of what this code does :
- It specifies the name of the workflow as “Run SonarQube with Maven.”
- The workflow is triggered when there is a “push” event, which typically means when code is pushed to a GitHub repository.
- Inside the workflow, there is a single job named “build” that runs on an Ubuntu-based virtual machine (specified as “ubuntu-latest”).
- The job consists of several steps that will be executed one after the other:
- a. Checkout Code: This step checks out (downloads) the code from your GitHub repository. It uses a predefined action called “actions/checkout@v2” to do this.
- b. Set up JDK 11: This step sets up Java Development Kit (JDK) version 11 on the virtual machine. It uses another predefined action called “actions/setup-java@v2.” JDK 11 is required to build and run the Java code.
- c. Build with Maven: This step actually builds the Java project using Apache Maven, a popular build tool for Java projects. It runs the “mvn” command with several options:
-B: Runs in batch mode, which means it won't prompt for user input.verify sonar:sonar: These are Maven goals to build and analyze the project.-Dsonar.projectKey: Specifies a unique key for the SonarQube project.-Dsonar.organization: Specifies the organization or group in SonarQube where the project will be analyzed.-Dsonar.host.url: Specifies the URL of the SonarQube server (in this case, it's the SonarCloud server).-Dsonar.login: Uses a secret environment variable called "SONARCLOUD_TOKEN" as the login token for SonarQube. Secrets are sensitive data that should not be exposed in your code.
- The “env” section of this step also defines two environment variables:
GIT_HUB_TOKEN: This should be the GitHub token stored as a secret, but there is a typo in the variable name (it should beGITHUB_TOKENinstead ofGIT_HUB_TOKEN).SONARCLOUD_TOKEN: This should be the SonarCloud token stored as a secret. These tokens are used to authenticate and access resources on GitHub and SonarCloud.
In summary, this workflow automates the process of building a Java project, running SonarQube analysis, and sending the results to SonarCloud when code is pushed to the GitHub repository. It also uses tokens stored as secrets for authentication and authorization.
Step 5: Run Your Workflow
Commit the workflow file and push it to your GitHub repository. GitHub Actions will automatically run the workflow, and you can see the scan results in the SonarCloud dashboard.
Conclusion
Integrating SonarCloud with GitHub Actions is a simple yet effective way to enhance the security and quality of your code. By following these steps, you can ensure that your codebase remains robust and free from potential vulnerabilities and bugs. Happy Learning!
