Analyzing all the code in a monorepo together

  • ALM used: GitHub
  • CI system used: GitHub
  • Languages of the repository: Java and Python

We’re trying to set up CI-analysis instead of automatic analysis because our project contains multiple repositories. There is also a build system using Maven but I think a monorepo set up like this one might also work. GitHub Actions | SonarCloud Docs Would this be something that would work?

Here is the build.yml

name: Code analysis
on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  sonarcloudScan1:
    name: SonarCloudScan - Java
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - run: git checkout HEAD^
      - name: SonarQube Scan
        uses: sonarsource/sonarqube-scan-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: https://sonarcloud.io
      with:
        projectBaseDir: python-src-folder
  sonarcloudScan2:
    name: SonarCloudScan - Python
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - run: git checkout HEAD^
      - name: SonarQube Scan
        uses: sonarsource/sonarqube-scan-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: https://sonarcloud.io
      with:
        projectBaseDir: python-src-folder

Thank you in advance

Hi,

I’m confused by your thread title. What is the intent?

As for your question, have you tried it?

 
Ann

Thank you for responding. For the example pipeline above I tried it with minor adjustment, but was getting error about invalid projecKey/missing token. I had been unable to follow documentation provided to get SonarCloud working. So far looked at other posts and am unable to find a similar scenario for what I try to implement.

  1. Intent and Background
    1.1 We use one Git repository for controlling the source code of a piece of software. This software consists of many sub-modules and the repository is broken down into several sub-directories for each of the modules. The repository in question originally uses Maven build tool but it also contains a sub-project which does not use or need Maven to build. We would like to use SonarCloud solution to provide code analysis report, particularly for one module which uses different implementation language than the rest of the project.
    1.2 The artifact should be compiled and built/test in a controlled environment. Code analysis is currently not part of the build process to create the artifact. My goal is to apply SonarScanner to enable code analysis report for this artifact.
    1.3 Previous suggestion recommend that this repository uses CI-Analysis since Automatic Analysis does not work in this scenario. I’ve tried following instructions in the documentation but was hitting errors. I have tried running the scanner locally and using GitHub Actions, but have not set up Azure DevOps service to integrate sonar with the build pipeline.
    1.4 The objective of using SonarCloud is to obtain independent analysis of code quality and expose security issues of the code base. Currently the deployment process is not in the same path as code analysis, but the build artifacts are created from the same source code.

  2. Question
    a. Is monorepo strategy still the right approach given this requirement and situation? By “monorepo” strategy I mean implementing the CI-Analysis using one single GitHub Actions workflow that scans the repository on source code changes, getting code analysis report for all source code excluding tests code in one action. Previously using Automatic Analysis the issue was out-of-memory from using the standard Maven project definition, while when I was running the scanner locally it was able to perform the scan and prepare the output report but was ending up with conflicting project/component/token and unable to put the report on SonarCloud.
    b. If the ‘monorepo’ strategy above will not work, setting up in SonarCloud this repository as two separate projects. And then set up two different scan jobs with two different projectKey for new scan work? By this I mean having two SonarCloud projects pointing to the same Github repository and in the GitHub workflow use two different projectKey to get two different code analysis report covering different parts of the repository.

  3. Remark
    a. I investigated Azure DevOps service but didn’t set up a new organization to create code analysis report for this repository as doing so requires getting the source code from GitHub to Azure and setting up all the build process which seem like adding an extra hop to the process without any additional benefit. However I might be wrong in this decision so I asked for comparison between GitHub and Azure DevOps.
    b. I’m not an administrator of the organization, so recommendation will be forwarded and shared with the decision maker.

Hi,

For a monorepo essentially what you’re doing is setting up multiple SonarCloud projects that point to the same repo.

That said, the real question here is how your projects build and deploy.

Since everything in the repo apparently deploys together(?) then it seems like it would be ideal for everything to be analyzed together? In that case, just alter your analysis command line to pass a definition of sonar.sources that includes the non-Maven files. E.G.

mvn sonar:sonar -Dsonar.sources=path/to/non-maven, path/to/module1/src/main/java, path/to/module2/source/main/java

Also, please edit this thread to provide a better title.

 
Ann

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.