🔧Unlocking Code Quality with SonarQube and GitHub Actionsge

sonar SDLC tools

Greetings Developers! In this article, we'll explore the integration of SonarQube with GitHub Actions for a streamlined code quality assessment. We'll cover the installation of SonarQube Community, establishing a seamless connection with a test GitHub repository and implementing automated scans through GitHub Actions self-hosted runners. This step-by-step guide aims to empower developers to introduce efficient code quality management within their existing workflows.

---

Quick intro...

What is SonarQube?

SonarQube is a premier static code analysis tool. It meticulously examines code for bugs and security issues, aiding in comprehensive code quality & security assessments. As a key player in the realm of DevOps, it facilitates streamlined integration with GitHub Actions.

What are Github Actions?

GitHub Actions is an automation platform from GitHub that allows developers to define workflows for their software projects. It give you the chance to automate tasks such as building, testing, and deploying code directly from your GitHub repositories. With GitHub Actions, you can create custom workflows using pre-defined or custom actions, streamlining your development process and enhancing collaboration among team members.

What are Github Actions self-hosted runners?

GitHub Actions self-hosted runners are instances of GitHub Actions runners that you set up and manage in your own environment. These runners allow you to run workflows on your own infrastructure, providing flexibility and control over the execution environment. Whether on cloud servers, on-premises hardware, or even your local machine, self-hosted runners enable you to tailor the execution environment to your specific needs, enhancing the capabilities of GitHub Actions for your projects.

---

Setup...

How to run SonarQube locally:

Despite there are a few ways to run it, for the sake of this article I'm gonna showcase how to run it from a local docker container. If you want to follow this steps you should have Docker installed in your computer. For more information please refer to this article.

docker run -it --rm -p 9000:9000 sonarqube:10.3.0-community

And as simple as that we have our SonarQube Community instance running and on http://localhost:9000 where you would be able to login with admin:admin credentials.

Let's also use a self-hosted Github Actions runner locally

From your Github repository go to Settings -> Actions -> Runners and add one with the commands they provide. Have in mind that the runner should be able to reach the SonarQube instance so it can be able to populate the results.

If you need help with this setup, please read this article.

chromebook runner added successfully to github

For this test I've forked the repository DefectDojo/django-DefectDojo at which I've added the runner in a Chromebook.

(Optional) Grant SonarQube permissions for PR decoration

If you have a paid SonarQube Developer edition license, now that we have most of the things running we should only let the instance to be able to comment on our Pull requests, so we can have the decoration if something was found at the scan.

More info on how to set up the Github app in this article.

SonarQube Local Github App installed

Add repository as a SonarQube Project

Once the app is installed we are ready to onboard some of our Github repositories, in this case we are going to add the django-DefectDojo project I've forked.

project creation from github source

After adding the project, SonarQube would ask us how would we want to set up the analysis and for the purpose of this demo we are going to show up the Github Actions integration.

setup with github actions pane

So here comes the part where SonarQube suggest us to add both SONAR_TOKEN and SONAR_HOST_URL as repository secrets, which we should always do instead of hardcoding them to follow proper secret management practices.

But after that, there is an example action workflow that for this demo we are going to avoid. Therefore the action I made is the following:

name: SonarQube Scan

on:
  pull_request:
    types: [opened, synchronize, reopened]
    branches:
      - master
  
jobs:
  sonarqube-scan:
    name: sonarqube-scan
    runs-on: self-hosted
    permissions: read-all
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - run: |
          sonar-scanner \
          -Dsonar.sources=. \
          -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
          -Dsonar.token=${{ secrets.SONAR_TOKEN }}

You can tell that in this example I'm running sonar-scanner locally, that's because the runner I'm using is a linux machine that already has sonar-scanner installed.

---

And now what?

Run scans

With all of this we are ready to add some changes to the repo and see our action being triggered as the following image.

action running in github PR commit change

Once the action finishes the scan, we can head up to SonarQube platform to see the results.

overview of finding results

Due to the security features SonarQube introduces you can also find things that are not code smells or developing bad habits but also potential vulnerabilities such as the following:

possible sql injection in defect dojo migrate_surveys.py file

How to prevent buggy code from being pushed?

You can also use SonarLint to run the scans directly on your IDE, preventing you to introduce buggy code into the codebases. Let's use VSCode integration for this example but there is support for many others such as JetBrains, Visual Studio or Eclipse.

SonarLint VSCode plugin page

If we install it from the VSCode plugins tab, then we just need to provide our SonarQube location and a token.

In our case, it's going to be http://localhost:9000 and a user token generated from your user account security panel at the SonarQube's console.

Once the plugin is enabled and configured we can monitor the findings and get Sonar insights right there in the editor.

vscode editor with sonarlint extension showing same sqli issue

---

Conclusions...

This article is just a showcase of the capabilities you can introduce to your developing pipelines with low effort implementations that can save a lot of hours of debugging or even lower risks in your tech stack.

You can find more information at Sonar's & GitHub's websites with tons of examples on how to integrate them and much more.

My thought's...

Try to keep security controls as simple as possible for your developers so that they do not perceive you as a hindrance but as an ally.

Thanks for getting this far, I hope you find this article useful and please give me your thought's on the comments.

Have you used any Sonar tool before? Do you have any similar setup? I'd be more than pleased to talk about it or #SDLCSecurity #SonarQube #GithubActions #CyberSecurity and much more...

Thanks!