DEV Community

Cinthia Barbosa da Silva
Cinthia Barbosa da Silva

Posted on

How to Analyze GitHub Projects with SonarQube Cloud

#sonar #github #githubactions

Hi everybody,

In this article, I’ll show you how to perform code analysis on GitHub using SonarQube Cloud.

I’ve recently started using this tool at work, and I also use it in my personal projects on GitHub. If you’re not familiar with SonarQube Cloud, don’t worry, I’ll give you a quick overview of what it is and how you can easily set it up in your own project.

SonarQube Cloud created in 2017 is a tool for static code analysis that helps developers find and fix problems like:

  • Bugs
  • Vulnerabilities
  • Code Smells
  • Test Coverage
  • Security and Compliance Risks

SonarQube Cloud also works well with platforms like GitHub, GitLab, Bitbucket and Azure DevOps.

Now that you know a little bit about SonarQube Cloud, let’s get started with how to set up in your project!

The first step is to connect your GitHub account to SonarQube Cloud.

In my case, I already have some projects there, but I’ll share a link that shows how to connect your account and set everything up you need,
right here Get started with SonarCloud in 3 easy steps!

account with github

To start a new project, click the “+” icon at the top and choose “Analyze new project”.

home page - SonarCloud

new project

I already have some projects in my account, but to create a new one, we need to click on "GitHub App Configuration."

configure

After that, you’ll need to authenticate with your GitHub account. Then, you will be redirected to the "Installed GitHub Apps" page. There, click on "Configure" next to SonarCloud to proceed.

select project

Here, "Repository Access," you have two options:

  • Only select repositories (the one I chose), or

  • All repositories (if you prefer, you can pick what works best for you.
    ).

I selected my repository "Products-api" and then clicked "Save"

Repository Access

Back in SonarQube Cloud, your new repository is now available. Just select it and click on "Set Up".

Next, you’ll see two setup options:

  • Previous version (this is the one I chose)

  • Number of days (you can choose this if it makes more sense for your project)

After selecting the option that your needs, click on "Create Project".

version - SonarCloud

Now, back in the "products-api" repository on GitHub, we can see that SonarQube Cloud is connected and ready.

To trigger the first code analysis, we just need to make a commit in the project.

Sonar working

After making a commit to the main branch (or any other branch... SonarQube Cloud will analyze any branch as long as you push a new commit), the code analysis is automatically triggered.

Once the analysis is complete, you’ll see a summary of the results directly in the GitHub interface, under the “Checks” tab of your pull request or commit.

Summary

This summary includes useful information such as:

  • Whether the code passed or failed the Quality Gate

  • The number of bugs, vulnerabilities, and code smells found

  • The test coverage percentage

  • Any duplicated code

review

Here we can see some issues that were detected in my project by SonarQube Cloud, including this one and many other details.

some issues

That is for today. If you found this article helpful, please share and leave a comment.❤️

Top comments (0)