Tekton Task Sonar Scan

Last Update : 21 November, 2023 | Published : 16 November, 2023 | 2 Min Read

Tekton ClusterTask: SonarQube Scanner

Description

The sonarscan ClusterTask facilitates static code analysis using SonarQube, provided a SonarQube server is hosted. SonarQube is a powerful tool for continuous inspection of code quality and security, supporting over 25 popular programming languages. It detects bugs, vulnerabilities, and code smells across project branches and pull requests.

Parameters

  • SONAR_SCANNER_IMAGE: The SonarQube scanner CLI image for performing the scan. Default: docker.io/sonarsource/sonar-scanner-cli:4.6@sha256:7a976330a8bad1beca6584c1c118e946e7a25fdc5b664d5c0a869a6577d81b4f

  • SONAR_COVERAGE_TRH: Default threshold value of SonarQube code scan to pass. Default: 80.00

  • SONAR-EXIT-CODE: Exit code to determine task success or failure. Default: 0

Workspaces

  • source: Workspace containing the code to be scanned by SonarQube.

  • sonar-settings (optional): Optional workspace where SonarQube properties can be mounted.

  • sonar-token (optional): Sonar login required to send the scan results to SonarCloud.

Steps

sonar-scan

This step uses the SonarQube scanner CLI image specified in SONAR_SCANNER_IMAGE. It performs the following operations:

#!/usr/bin/env bash
pwd
export SONAR_TOKEN=`cat /workspace/sonar-token/SONAR_TOKEN`
echo $SONAR_TOKEN
cp /workspace/sonar-settings/sonar-project.properties .
ls -al
cat sonar-project.properties
sonar-scanner
apk update && apk add curl jq

Extracting Sonar Host URL and Project Key

The script extracts the Sonar host URL and project key from sonar-project.properties:

# Extract sonar.host.url
export line=$(grep "sonar.host.url" "sonar-project.properties")
export SONAR_HOST=$(echo "$line" | cut -d'=' -f2)
export SONAR_HOST=$(echo "$SONAR_HOST" | tr -d ' ')
echo "Sonar Host URL: $SONAR_HOST"

# Extract sonar.projectKey
export line=$(grep "sonar.projectKey" "sonar-project.properties")
export SONAR_PROJ=$(echo "$line" | cut -d'=' -f2)
export SONAR_PROJ=$(echo "$SONAR_PROJ" | tr-d ' ')
echo "Sonar Project Key: $SONAR_PROJ"

This code segment retrieves the Sonar host URL and project key, crucial for the subsequent steps in the SonarQube scanning process.

Retrieving Code Coverage

The following code retrieves the code coverage percentage from the SonarQube server:

# Retrieve SONAR_COVERAGE using curl and jq
export SONAR_COVERAGE=$(curl "$SONAR_HOST/api/measures/component?metricKeys=coverage&componentKey=$SONAR_PROJ" | jq -r ".component.measures[] | .value")
if [ -n "$SONAR_COVERAGE" ]; then
    echo "Threshold code coverage is $(params.SONAR_COVERAGE_TRH)"
    echo "Actual code coverage is $SONAR_COVERAGE" 
    wait       
    comparison_result=$(echo "$(params.SONAR_COVERAGE_TRH) >= $SONAR_COVERAGE" | bc)
    if [ "$comparison_result" -eq 1 ];then
        echo "Failing sonar scan due to lack of code coverage"
        exit $(params.SONAR-EXIT-CODE)
    fi
else
  curl "$SONAR_HOST/api/measures/component?metricKeys=coverage&componentKey=$SONAR_PROJ" > sonar_scan_details
  cat sonar_scan_details
  echo "There is no code coverage value that, may be there are few issues or critical vulns found in scan"
  echo "Please check the sonar dashboard for more information"
  exit $(params.SONAR-EXIT-CODE)
fi

This code segment fetches the code coverage data from the SonarQube server and compares it against a specified threshold. If the code coverage falls below the threshold, the task will fail and exit with a specified exit code.

Looking for Cloud-Native Implementation?

Finding the right talent is pain. More so, keeping up with concepts, culture, technology and tools. We all have been there. Our AI-based automated solutions helps eliminate these issues, making your teams lives easy.

Contact Us