For now, since we are still in the testing phase, I have installed the free Community Edition.
I would like to ask you the following three questions:
How can we scan a project hosted on GitHub?
For your information, I was able to scan a project locally on my machine.
How can we export the scan results?
The export format does not matter, but we need to be able to export the results in order to share them with the developers.
Most importantly, how can we configure the scanning rules?
By default, SonarQube reports far too many issues, including comments in the code. We would like to know how to configure the rules to match what we consider our own “standards.”
We try to keep it to one topic per thread. Otherwise it can get messy, fast. I’ll make a pass at your 3 questions, but if you have followups, I reserve the right to ask you to create new threads.
Add analysis to your CI. You can use the same commands you used locally, just put them in your pipeline. The docs will get you started.
There’s reporting in Enterprise Edition($$) but for sharing the results with developers… you shouldn’t need that. The idea (and this is why we don’t charge by seats) is that everyone should have access to the project data in the SonarQube interface. More, if you’re going for SonarQube Server, that means you’ll have access to PR analysis, which will put the results of your PR analyses right into your DevOps platform.
This is why we urge a focus on new code. Yes, any legacy code base (and by legacy, I mean more than about 3 months old ) is going to have a lot of issues. It’s overwhelming. Instead, just focus on keeping your PRs and your new code clean, and it suddenly all becomes manageable.
) is going to have a lot of issues. It’s overwhelming. Instead, just focus on keeping your PRs and your new code clean, and it suddenly all becomes manageable.