Scan and analyze GitHub repository with SonarCloud

1. Follow the docs under SonarCloud - Getting Started with GitHub to setup SonarCloud with GitHub
   1. Sign up at SonarCloud
   2. Click Import another organization
   3. Select your personal GitHub account or the organization that contains the repository you want to scan
   4. When reaching the Create your SonarCloud organization page adjust/update data and click Create organization
   5. On Analyze projects page select the repository you want to scan and click Set Up
   6. On Set up project for Clean as You Code page select the desired code definition and click Create project
2. After completing the setup, the repository will be scanned automatically and you will see the results on the SonarCloud dashboard

To set up CI-based analysis with GitHub actions follow the instructions (guided wizard) under https://sonarcloud.io/project/configuration/GitHubActions?id=SONAR_CLOUD_PROJECT_ID

To include i.e. terraform files in the analysis of SonarScanner for .NET, the following adjustments are required.

1. Extend the dotnet-sonarscanner begin command with project base dir argument /d:sonar.projectBaseDir="D:\a\GITHUB_PROJECT_NAME\GITHUB_PROJECT_NAME" where GITHUB_PROJECT_NAME is the name of the GitHub project

2. Include the corresponding source files/folders in one of the projects csproj file

   <ItemGroup>
      <!-- This is required to include terraform files in SonarCloud analysis -->
      <Content Include="..\..\deploy\**\*.tf" Visible="false">
         <CopyToOutputDirectory>Never</CopyToOutputDirectory>
      </Content>
   </ItemGroup>

   For more details see here

To include test coverage in the analysis of SonarScanner for .NET, the following adjustments are required in the GitHub actions workflow (.github/workflows/quality.yml).

# Install dotnet-coverage
- name: Install dotnet-coverage
  shell: powershell
  run: |
    dotnet tool install --global dotnet-coverage
- name: Build and analyze
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  shell: powershell
  run: |
    # Add /d:sonar.cs.vscoveragexml.reportsPaths=coverage.xml
    .\.sonar\scanner\dotnet-sonarscanner begin /k:"rufer7_github-sonarcloud-integration" /o:"rufer7" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.projectBaseDir="D:\a\github-sonarcloud-integration\github-sonarcloud-integration" /d:sonar.cs.vscoveragexml.reportsPaths=coverage.xml
    dotnet build .\src\ArbitrarySolution.sln --configuration Release
    # Execute tests and collect coverage
    dotnet-coverage collect 'dotnet test .\src\ArbitraryProject.Tests\ArbitraryProject.Tests.csproj' -f xml  -o 'coverage.xml'
    .\.sonar\scanner\dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

To include test coverage in the analysis of SonarScanner for .NET, the following adjustments are required in the

The scan results can be viewed on the SonarCloud dashboard

Security hotspots detected by SonarCloud can be viewed directly on the GitHub repository under Security tab in the Code scanning section

Example

Pull request analysis results can be found directly on the pull requests.

For an example, see here

• SonarCloud - Getting Started with GitHub
• Pull request analysis
• .NET test coverage