[Beta] Automatic Analysis of your repositories with SonarCloud

sonarcloud
autoscan
(Fabrice Bellingard) #1

Hi SonarCloud users!

Today, we are thrilled to announce that we deployed a Beta feature which many of you are waiting for: SonarCloud can autonomously scan your code, by simply reading it from your repository! We call that AutoScan, and we think you’ll love it! :tada:

As you will see, activating this Beta feature is very simple. Note that it comes with a limited scope and some caveats for now. We will be removing those limitations along the way - but we did not want to wait any longer to let you benefit from it. :slight_smile:

Prerequisites

The first version of this Beta feature works only for GitHub repositories.
The automatic analysis can be activated only on projects which were set up through the SonarCloud web interface (when you select repositories to analyze).

What to expect

Once activated, SonarCloud will automatically analyze:

  • the default branch of the repository
  • the pull requests (PR) on that default branch

And it will take care of doing it whenever you push on your repository.

The following languages are currently supported:

  • ABAP
  • Apex
  • CSS
  • Flex
  • Go
  • HTML
  • JS
  • Kotlin
  • PHP
  • PL/SQL
  • Python
  • Ruby
  • Scala
  • Swift
  • TypeScript
  • TSQL
  • XML

How to activate the feature?

To enable the automatic analysis, you simply need to add a .sonarcloud.properties file in your repository.

If you’re starting from scratch:

  1. Do the setup for your project (from the + > Analyze new project top right menu)
    • Remeber that your project must absolutely be created by selecting a GitHub repository - otherwise it won’t work.
  2. Once the setup is done on SonarCloud, you end up on the project home page which shows a tutorial. Ignore it and simply add a .sonarcloud.properties file in the base directory of your default branch (or on a PR which targets this default branch).
  3. After a while, the analysis results will be visible in SonarCloud (and your PR will be annotated with comments if you pushed the file on a PR)

Here are the supported optional settings for the .sonarcloud.properties file:

# Path to sources
#sonar.sources=.
#sonar.exclusions=
#sonar.inclusions=

# Path to tests
#sonar.tests=
#sonar.test.exclusions=
#sonar.test.inclusions=

# Source encoding
#sonar.sourceEncoding=UTF-8

# Exclusions for copy-paste detection
#sonar.cpd.exclusions=

Note that you can just push an empty .sonarcloud.properties file, this will work fine. In this case, every file in the repository will be considered as a source file.

Current limitations/caveats

Yes, this is a Beta feature, developed in an iterative approach :slight_smile: So for now:

  • There is no visual feedback (yet) in the UI when SonarCloud runs an analysis.
  • A consequence of the previous point is that if - for any reason, SonarCloud fails to successfully run the analysis, nothing will be displayed. In that case, just come on the forum and ask a question, we’ll monitor that closely.
  • Pull requests from forks are not analyzed (only PRs from the same repository)
  • Code coverage information is not supported
  • Import of external rule engine reports is not supported

Noteworthy

  • This Beta feature works for any project - public or private.
  • It can be activated with no extra cost.
  • Sources are cloned only during the analysis, and only when the .sonarcloud.properties file exists (i.e. when the feature is activated). The cloned repository is fully deleted at the end of the analysis, and SonarCloud does not keep a copy of it.
  • Non supported languages (Java, C#, VB.NET, C/C++, ObjectiveC) are not analyzed at all.

How to give feedback?

Create a new thread on the forum, under “Get Help > SonarCloud”, with the “autoscan” tag.

We’d love to hear your feedback about this new upcoming feature, may it be about bugs, improvements, or anything you want to share with us!

12 Likes
Integrate SonarQube with Bitbucket
Will SonarCloud be able to be available without relying on separate CIs, such as appveyor
SonarCloud + GitHub PR Analysis and decoration
machine/CI user token
(Fabrice Bellingard) pinned #2
(Christophe Faucon) #3

What does the automatic analysis do? Just examine the new code (will this update coverage) ? for projects that are examined as a single unit normally, but actually contain sources from another project, I guess these are ignored? If a project contains both supported and unsupported languages (e.g. Objective-C and Swift) should we expect any issues with counts/bugs/vulnerabilitiesm or discrepancies between autoscan and our normal scan ?

1 Like
Trigger scan based on Github Pull Request without CI Server
(Fabrice Bellingard) #4

It will run a standard analysis (without coverage information). Obviously, new code will be detected so that you can concentrate on it.

The analysis is done at repository level. So for a given repository, every source file will be analyzed if it is supported (and if it matches the source inclusions/exclusions that you may have defined).

Simply discrepancies.

1 Like
(Marcin Wachulski) #5

Great news! Longed for. I also see that other competitors (Codacy, LGTM etc.) chose this direction as their primary means of analysis (which has its pros and cons). I’m happy Sonar is going to be balanced (cloud vs on-premises) product.

My only concern is this statement:

Non supported languages (Java, C#, VB.NET, C/C++, ObjectiveC) will not be analyzed at all.

which wasn’t placed under Current limitations/caveats section (deliberately?)

There is a thread for this already: No Java with AutoScan! Planned? so I put it here as a reference.

2 Likes
(Fabrice Bellingard) #6

Indeed Marcin, this can be seen as a limitation. :slight_smile: For us, it is just out of scope for the moment. For those 3 different languages, the analyzers currently need a build to happen if we want to give you relevant and good analysis results. Hopefully in the future, we’ll be able to partially get rid of this dependency!

2 Likes
(Dave Stephen) #9

Sounds interesting!

Sources are cloned only during the analysis (…). The cloned repository is fully deleted at the end of the analysis.

What exactly does that mean? Will Sonar clone the repository for each new pull request?

(Fabrice Bellingard) #10

Yes Dave, this is what we’re doing.

(Chris Topinka) #11

Does cloud have the ability to detect duplications across repos/projects in an organization or any other cross-repo analysis?

(Simon Brandhof) #12

Hi Chris,
No, SonarCloud does not support detection of duplications across different projects, even in the same organization.
Regards.