How to integrate sonarscanner in CI pipeline

I have dockerized dotnet core application.
And I want code quality checks to be done only in CI pipeline, not in dev environment
CI is AWS CodeBuild

I found two bad options to integrated dockerized build pipeline with sonarscanner

Double-build solution

1. build step that begins scanning, builds app, ends scanning (will have to setup dotnet sdk environment which I don’t need for dockerized apps)
2. build step that builds application again, this time while creating Docker image

Conditional (using docker build args) sonnarscanner in Dockerfile

1. Conditionally install sonarscanner
2. Conditionally begin scanning
3. build app
4. Conditionally end scanning
   This overcomplicates Docker image build and scanning is still not part of CI. It’s just and option to turn it off locally.

Is there some nice way to use sonarscanner as part of CI for dockerized applications?

Hi,

I don’t understand why this has to be split. Why not

build step that begins scanning, builds app
while creating Docker image
end scanning

 
Ann

Because

I want code quality checks to be done only in CI pipeline, not in dev environment

We are using Container (Docker) projects in Visual Studio to have consistent environment in dev and prod. So we are not interested in code quality checks until PR is ready

Seems like you are suggesting conditional sonarscanner in Dockerfile (option 2)
Is there some default env variable to turn off sonarscanner? To avoid wrapping it everywhere in Dockerfile like this

RUN if [ "$SONAR_ENABLED" = "true" ]; then \
        dotnet sonarscanner end /d:sonar.token="$SONAR_TOKEN"; \
    fi

There is also third option - having two different Dockerfiles (one for CI and one for local runs), but it introduces maintenance and sync issues

Hi,

It looks like you’ll either need two Docker files or a flag to toggle analysis, as you suggested.

 
HTH,
Ann