From 0b1f2442e511ac2e36f9c551899079d28f0fade5 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 14:58:57 +0100
Subject: [PATCH 01/20] Create sonarcloud.yml
---
code-scanning/sonarcloud.yml | 51 ++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 code-scanning/sonarcloud.yml
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
new file mode 100644
index 0000000..d15db93
--- /dev/null
+++ b/code-scanning/sonarcloud.yml
@@ -0,0 +1,51 @@
+This workflow helps you trigger a SonarCloud analysis of your code.
+name: SonarCloud analysis
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+
+ workflow_dispatch:
+
+jobs:
+ Analysis:
+ runs-on: ubuntu-latest
+
+ steps:
+
+ - name: Analyze with SonarCloud
+
+ # 1. Import your project to SonarCloud.
+ # 2. Import it on SonarCloud
+ # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project.
+ # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically).
+ # * This behavior can be changed in Administration > Analysis Method.
+ #
+ # 3. Copy/paste the Projet Key and the Organization Key in the args below
+ # * On SonarCloud, click on Information at the bottom left
+ # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN
+ # * On SonarCloud, click on your avatar on top-right > My account > Security
+
+ # You may pin to the exact commit or the version.
+ # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ uses: SonarSource/sonarcloud-github-action@v1.6
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments to the sonarcloud scanner
+ args: >
+ # Set the sonar.projectBaseDir analysis property
+ projectBaseDir: . # optional, default is .
+ # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
+ -Dsonar.projectKey= # mandatory
+ # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu)
+ -Dsonar.organization= # mandatory
+ # Comma-separated paths to directories containing main source files.
+ -Dsonar.sources= # optional, default is project base directory
+ # Comma-separated paths to directories containing test source files.
+ -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ -Dsonar.verbose= # optional, default is false
From b80e458c6205c8b77c2a7bd419be52d6a82fc64f Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:29:12 +0100
Subject: [PATCH 02/20] Added documentation links
---
code-scanning/sonarcloud.yml | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index d15db93..387f34c 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,4 +1,19 @@
-This workflow helps you trigger a SonarCloud analysis of your code.
+# This workflow helps you trigger a SonarCloud analysis of your code.
+
+# 1. Login to SonarCloud.io using your GitHub account
+# 2. Import your project on SonarCloud
+# * Add your GitHub organization first, then add your repository as a new project.
+# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically).
+# * This behavior can be changed in Administration > Analysis Method.
+#
+# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below
+# * You'll find those info on SonarCloud. Click on "Information" at the bottom left
+# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
+# * On SonarCloud, click on your avatar on top-right > My account > Security
+
+# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
+# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
+
name: SonarCloud analysis
on:
@@ -15,18 +30,7 @@ jobs:
steps:
- - name: Analyze with SonarCloud
-
- # 1. Import your project to SonarCloud.
- # 2. Import it on SonarCloud
- # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project.
- # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically).
- # * This behavior can be changed in Administration > Analysis Method.
- #
- # 3. Copy/paste the Projet Key and the Organization Key in the args below
- # * On SonarCloud, click on Information at the bottom left
- # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN
- # * On SonarCloud, click on your avatar on top-right > My account > Security
+ - name: Analyze with SonarCloud
# You may pin to the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
@@ -36,15 +40,15 @@ jobs:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments to the sonarcloud scanner
- args: >
- # Set the sonar.projectBaseDir analysis property
- projectBaseDir: . # optional, default is .
+ args:
# Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.projectKey= # mandatory
# Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.organization= # mandatory
# Comma-separated paths to directories containing main source files.
-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ -Dsonar.projectBaseDir= # optional, default is .
# Comma-separated paths to directories containing test source files.
-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
# Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
From c5a70f040535fbdb74601570225b59bc8516a3b7 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:29:42 +0100
Subject: [PATCH 03/20] Removed extra spaces
---
code-scanning/sonarcloud.yml | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 387f34c..3441617 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -21,15 +21,13 @@ on:
branches: [ master ]
pull_request:
branches: [ master ]
-
workflow_dispatch:
jobs:
Analysis:
runs-on: ubuntu-latest
-
+
steps:
-
- name: Analyze with SonarCloud
# You may pin to the exact commit or the version.
From 429537d3207f07a271ed289b60a664da53be9b86 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:36:07 +0100
Subject: [PATCH 04/20] Added workflow variables for branches
---
code-scanning/sonarcloud.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 3441617..97f364d 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -18,9 +18,9 @@ name: SonarCloud analysis
on:
push:
- branches: [ master ]
+ branches: [ $default-branch, $protected-branches ]
pull_request:
- branches: [ master ]
+ branches: [ $default-branch ]
workflow_dispatch:
jobs:
From b48f15df6228157c0181ee9fdca8f52f091a3703 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:36:37 +0100
Subject: [PATCH 05/20] Added space between paragraph
---
code-scanning/sonarcloud.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 97f364d..0b58f05 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,6 +1,7 @@
# This workflow helps you trigger a SonarCloud analysis of your code.
# 1. Login to SonarCloud.io using your GitHub account
+
# 2. Import your project on SonarCloud
# * Add your GitHub organization first, then add your repository as a new project.
# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically).
@@ -8,6 +9,7 @@
#
# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below
# * You'll find those info on SonarCloud. Click on "Information" at the bottom left
+
# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
# * On SonarCloud, click on your avatar on top-right > My account > Security
From fb2b1099ec558e4666229e557860eb8a8dd58ac7 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Tue, 1 Mar 2022 16:39:07 +0100
Subject: [PATCH 06/20] Fixed intro text
---
code-scanning/sonarcloud.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 0b58f05..c4ab0e4 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,4 +1,4 @@
-# This workflow helps you trigger a SonarCloud analysis of your code.
+# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found.
# 1. Login to SonarCloud.io using your GitHub account
From f6596c95685b9d20a9cd83bf0d9df24153043b69 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 09:41:26 +0100
Subject: [PATCH 07/20] Update sonarcloud.yml
---
code-scanning/sonarcloud.yml | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index c4ab0e4..084feca 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -4,14 +4,15 @@
# 2. Import your project on SonarCloud
# * Add your GitHub organization first, then add your repository as a new project.
-# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically).
+# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions.
# * This behavior can be changed in Administration > Analysis Method.
#
-# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below
-# * You'll find those info on SonarCloud. Click on "Information" at the bottom left
-
-# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
-# * On SonarCloud, click on your avatar on top-right > My account > Security
+# 3. Follow the SonarCloud's online tutorial
+# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below
+# (You'll find those info on SonarCloud. Click on "Information" at the bottom left)
+#
+# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
+# (On SonarCloud, click on your avatar on top-right > My account > Security)
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
From 8fd84d60c85e501ce9d34a7c694fda9f3822daab Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 09:42:52 +0100
Subject: [PATCH 08/20] Create sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 1 +
1 file changed, 1 insertion(+)
create mode 100644 code-scanning/properties/sonarcloud.properties.json
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -0,0 +1 @@
+
From 6f8fa063712f344fab4c84487b2c885fca2f61a3 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 09:45:15 +0100
Subject: [PATCH 09/20] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 8b13789..88e2dbf 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1 +1,7 @@
-
+{
+ "name": "SonarCloud Security Scan",
+ "creator": "SonarSource",
+ "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
+ "iconName": "sonarcloud",
+ "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
+}
From c944a105460e766a441f6bc07dc9f798bbb4bc1c Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 17:15:34 +0100
Subject: [PATCH 10/20] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 88e2dbf..428d899 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1,7 +1,7 @@
{
- "name": "SonarCloud Security Scan",
- "creator": "SonarSource",
- "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.",
+ "name": "SonarCloud",
+ "creator": "Sonar",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects",
"iconName": "sonarcloud",
- "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"]
+ "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
From d955f56f6791a99e9264a41707cd43f1ff228d67 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 10 Mar 2022 17:17:43 +0100
Subject: [PATCH 11/20] Add files via upload
---
icons/sonarcloud.svg | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
create mode 100644 icons/sonarcloud.svg
diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg
new file mode 100644
index 0000000..5f946d2
--- /dev/null
+++ b/icons/sonarcloud.svg
@@ -0,0 +1,20 @@
+
+
+
From 3b2d5d9c43c2889e9aaed43da59a7332ee5e51b7 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 17 Mar 2022 18:07:03 +0100
Subject: [PATCH 12/20] Added small fixes
---
code-scanning/sonarcloud.yml | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 084feca..d627b96 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -13,6 +13,7 @@
#
# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
# (On SonarCloud, click on your avatar on top-right > My account > Security)
+# (or go directly to https://sonarcloud.io/account/security/)
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
@@ -44,13 +45,13 @@ jobs:
args:
# Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.projectKey= # mandatory
- # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu)
+ # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.organization= # mandatory
# Comma-separated paths to directories containing main source files.
- -Dsonar.sources= # optional, default is project base directory
+ #-Dsonar.sources= # optional, default is project base directory
# When you need the analysis to take place in a directory other than the one from which it was launched
- -Dsonar.projectBaseDir= # optional, default is .
+ #-Dsonar.projectBaseDir= # optional, default is .
# Comma-separated paths to directories containing test source files.
- -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
- # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- -Dsonar.verbose= # optional, default is false
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false
From 75a7f2983bbe23e5ab84449c61053dfc20206b74 Mon Sep 17 00:00:00 2001
From: Peeter Piegaze
<61758048+peeter-piegaze-sonarsource@users.noreply.github.com>
Date: Fri, 18 Mar 2022 11:13:00 +0100
Subject: [PATCH 13/20] Update sonarcloud.yml
Fix phrasing/word-choice
---
code-scanning/sonarcloud.yml | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index d627b96..69eac6a 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,19 +1,21 @@
-# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found.
+# This workflow helps you trigger a SonarCloud analysis of your code and populates
+# GitHub Code Scanning alerts with the vulnerabilities found.
# 1. Login to SonarCloud.io using your GitHub account
# 2. Import your project on SonarCloud
# * Add your GitHub organization first, then add your repository as a new project.
-# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions.
+# * Please note that many languages are eligible for automatic analysis,
+# which means that the analysis will start automatically without the need to set up GitHub Actions.
# * This behavior can be changed in Administration > Analysis Method.
#
-# 3. Follow the SonarCloud's online tutorial
-# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below
-# (You'll find those info on SonarCloud. Click on "Information" at the bottom left)
+# 3. Follow the SonarCloud in-product tutorial
+# * a. Copy/paste the Project Key and the Organization Key into the args parameter below
+# (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
#
-# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN
-# (On SonarCloud, click on your avatar on top-right > My account > Security)
-# (or go directly to https://sonarcloud.io/account/security/)
+# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
+# (On SonarCloud, click on your avatar on top-right > My account > Security
+# or go directly to https://sonarcloud.io/account/security/)
# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
@@ -34,14 +36,14 @@ jobs:
steps:
- name: Analyze with SonarCloud
- # You may pin to the exact commit or the version.
+ # You can pin the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
uses: SonarSource/sonarcloud-github-action@v1.6
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
- # Additional arguments to the sonarcloud scanner
+ # Additional arguments for the sonarcloud scanner
args:
# Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
-Dsonar.projectKey= # mandatory
From 9ab1bbfdcc4ce2235ab206d529853732f82c40d2 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Mon, 21 Mar 2022 10:08:04 +0100
Subject: [PATCH 14/20] Added Github disclaimer
---
code-scanning/sonarcloud.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index 69eac6a..d0cc73b 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -1,3 +1,8 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
# This workflow helps you trigger a SonarCloud analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
From 1e0060ae0f820f0e350f84c656ca66e287005124 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 30 Mar 2022 10:27:25 +0200
Subject: [PATCH 15/20] Added mention to free plan
---
code-scanning/sonarcloud.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index d0cc73b..bd6a3e1 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -5,6 +5,7 @@
# This workflow helps you trigger a SonarCloud analysis of your code and populates
# GitHub Code Scanning alerts with the vulnerabilities found.
+# Free for open source project.
# 1. Login to SonarCloud.io using your GitHub account
From 589aeb1674483e39ab864dd33cfa5cf63882462a Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Thu, 31 Mar 2022 10:34:04 +0200
Subject: [PATCH 16/20] Added restrictive permissions for GITHUB_TOKEN
---
code-scanning/sonarcloud.yml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index bd6a3e1..dade659 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -35,6 +35,9 @@ on:
branches: [ $default-branch ]
workflow_dispatch:
+permissions:
+ pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
jobs:
Analysis:
runs-on: ubuntu-latest
@@ -46,7 +49,7 @@ jobs:
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
uses: SonarSource/sonarcloud-github-action@v1.6
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
with:
# Additional arguments for the sonarcloud scanner
From 3f1969e60bade312dd53ca604e2479900b6a6a5f Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 10:26:21 +0200
Subject: [PATCH 17/20] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 428d899..8835ff8 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1,7 +1,7 @@
{
"name": "SonarCloud",
"creator": "Sonar",
- "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!",
"iconName": "sonarcloud",
"categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
From 1132fdda5ded5388ebc46d62f1892bece49f3c26 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 10:43:06 +0200
Subject: [PATCH 18/20] Update sonarcloud.properties.json
---
code-scanning/properties/sonarcloud.properties.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json
index 8835ff8..9b88a78 100644
--- a/code-scanning/properties/sonarcloud.properties.json
+++ b/code-scanning/properties/sonarcloud.properties.json
@@ -1,7 +1,7 @@
{
"name": "SonarCloud",
"creator": "Sonar",
- "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!",
+ "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!",
"iconName": "sonarcloud",
"categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"]
}
From 50c02af8cf04a5cba88c5f47d64db3d2860ddcff Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 10:59:27 +0200
Subject: [PATCH 19/20] changed version to exact SHA
Co-authored-by: Sampark Sharma
---
code-scanning/sonarcloud.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index dade659..fe9afb4 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -47,7 +47,7 @@ jobs:
# You can pin the exact commit or the version.
# uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
- uses: SonarSource/sonarcloud-github-action@v1.6
+ uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
From 090ead86a92181d20a19219314dd1858ec87a787 Mon Sep 17 00:00:00 2001
From: Christophe H
<65390576+christophe-havard-sonarsource@users.noreply.github.com>
Date: Wed, 6 Apr 2022 14:51:15 +0200
Subject: [PATCH 20/20] Update syntax for validation
---
code-scanning/sonarcloud.yml | 42 ++++++++++++++++++------------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml
index fe9afb4..ff388c8 100644
--- a/code-scanning/sonarcloud.yml
+++ b/code-scanning/sonarcloud.yml
@@ -45,24 +45,24 @@ jobs:
steps:
- name: Analyze with SonarCloud
- # You can pin the exact commit or the version.
- # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
- uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
- with:
- # Additional arguments for the sonarcloud scanner
- args:
- # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu)
- -Dsonar.projectKey= # mandatory
- # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu)
- -Dsonar.organization= # mandatory
- # Comma-separated paths to directories containing main source files.
- #-Dsonar.sources= # optional, default is project base directory
- # When you need the analysis to take place in a directory other than the one from which it was launched
- #-Dsonar.projectBaseDir= # optional, default is .
- # Comma-separated paths to directories containing test source files.
- #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
- # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
- #-Dsonar.verbose= # optional, default is false
+ # You can pin the exact commit or the version.
+ # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+ with:
+ # Additional arguments for the sonarcloud scanner
+ args:
+ # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
+ # mandatory
+ -Dsonar.projectKey=
+ -Dsonar.organization=
+ # Comma-separated paths to directories containing main source files.
+ #-Dsonar.sources= # optional, default is project base directory
+ # When you need the analysis to take place in a directory other than the one from which it was launched
+ #-Dsonar.projectBaseDir= # optional, default is .
+ # Comma-separated paths to directories containing test source files.
+ #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+ #-Dsonar.verbose= # optional, default is false