How to analyze Shell

Hi,

In SonarQube 9.9, we use the GitHub - sbaudoin/sonar-shellcheck: SonarQube plugin to analyze Shell scripts with ShellCheck plugin to analyze Shell.
We want to use the latest version of the Sonarscanner Docker image, but the shellcheck tool is no longer available in the image.
You can see that it has been removed here: SCANDOCKER-35 Change Base Image · SonarSource/sonar-scanner-cli-docker@ad6abe2 · GitHub

The shellcheck plugin cannot rely on an input shellcheck report. It requires the 2 tools (shellcheck and sonarscanner) to be present in the same image. Is it possible to add shellcheck in the sonarscanner image?

If not, how can shell be analyzed through a Docker image?

What’s more, the shellcheck plugin has not been maintained for 4 years. Is SonarQube planning to take shell analysis into account?

Kind regards,
Didier

Hey there.

This is something we’re considering, you can vote on this roadmap item here.

I’m not 100% sure why we removed shellcheck from the Sonar Scanner CLI Docker Image – however, I believe that our goal is to make the image has only the minimum required packages.

In the short term, you can continue to use an older version of the SonarScanner Docker Image with shellcheck installed. Alternatively, you could build a custom image inheriting from the SonarSource/sonar-scanner-cli image that installs shellcheck.

Long-term, I think it’s not a great plugin architecture to rely on whether or not a static analysis tool is available in the build environment rather than including it with the plugin (or allowing the import of a report produced earlier in the build, as you suggested here.)