Hi Ann,
I am facing similar issue. We have created a github action that triggers the sonar scan for our orgname.sonarqube.dev instance. I made changes in the source branch - commented 2 test cases file so that coverage would drop, quality gate must be failed. That did not happened. Will try to add all the details.
shared-action to trigger the sonar scan
`# ---------- SonarQube Scan ----------
- name: Sonar Scan
if: ${{ inputs.run-sonar == true }}
uses: SonarSource/sonarqube-scan-action@v5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
args: >
-Dsonar.qualitygate.wait=true`
caller github action :
name: CI Checks
on:
pull_request:
branches:
- release/express-e2
types: [opened, synchronize, reopened]
permissions:
contents: read
jobs:
call-ci-checks:
uses: org/shared-actions/.github/workflows/ci.yml@main
secrets:
MVN_REPO_PRIVATE_REPO_USER: ${{ secrets.MVN_REPO_PRIVATE_REPO_USER }}
MVN_REPO_PRIVATE_REPO_PASSWORD: ${{ secrets.MVN_REPO_PRIVATE_REPO_PASSWORD }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
java-version: “21”
run-tests: true
run-sonar: true
run-security-scans: false # enable later
The flag run-sonar : true triggers the sonar scan.
my current branch : poc/sonar-scan raised to merge for release/express-e2 scan triggers but the code coverage does not gets computed even after making the changes in test cases.
we can see the coverage dropped, but the quality gate passed ?
No issues:
Github action logs
Run SonarSource/sonarqube-scan-action@v5
Run ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
Run echo "::warning title=Vulnerability warning::This version of the SonarQube Scanner GitHub Action is no longer supported and contains a security vulnerability. Please update your workflow to use sonarsource/sonarqube-scan-action@v6 for the latest security patches and features. For more information visit https://community.sonarsource.com/gha-v6-update"
Warning: This version of the SonarQube Scanner GitHub Action is no longer supported and contains a security vulnerability. Please update your workflow to use sonarsource/sonarqube-scan-action@v6 for the latest security patches and features. For more information visit https://community.sonarsource.com/gha-v6-update
Run actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809
Cache hit for: sonar-scanner-cli-7.2.0.5079-Linux-X64
Received 0 of 52245510 (0.0%), 0.0 MBs/sec
Received 48051206 of 52245510 (92.0%), 22.9 MBs/sec
Received 48051206 of 52245510 (92.0%), 15.3 MBs/sec
Received 48051206 of 52245510 (92.0%), 11.5 MBs/sec
Received 52245510 of 52245510 (100.0%), 11.6 MBs/sec
Cache Size: ~50 MB (52245510 B)
/usr/bin/tar -xf /home/runner/work/_temp/65e99688-7b62-4d69-914a-d72dd7a5dd7a/cache.tzst -P -C /home/runner/work/stitch-scrutiny/stitch-scrutiny --use-compress-program unzstd
Cache restored successfully
Cache restored from key: sonar-scanner-cli-7.2.0.5079-Linux-X64
Run echo "${RUNNER_TEMP}/sonar-scanner-cli-7.2.0.5079-Linux-X64/bin" >> $GITHUB_PATH
Run ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
+ sonar-scanner -Dsonar.qualitygate.wait=true
06:24:14.141 INFO Scanner configuration file: /home/runner/work/_temp/sonar-scanner-cli-7.2.0.5079-Linux-X64/conf/sonar-scanner.properties
06:24:14.145 INFO Project root configuration file: /home/runner/work/stitch-scrutiny/stitch-scrutiny/sonar-project.properties
06:24:14.164 INFO SonarScanner CLI 7.2.0.5079
06:24:14.166 INFO Linux 6.17.0-1013-azure amd64
06:24:15.873 INFO Communicating with SonarQube Server 2026.1.0.119033
06:24:15.874 INFO JRE provisioning: os[linux], arch[x86_64]
06:24:21.758 INFO Starting SonarScanner Engine...
06:24:21.759 INFO Java 21.0.9 Eclipse Adoptium (64-bit)
06:24:23.411 INFO Load global settings
06:24:24.151 INFO Load global settings (done) | time=738ms
06:24:24.161 INFO Server id: FD15FB16-AZYKbrDIgxvPasmRDd99
06:24:24.174 INFO Loading required plugins
06:24:24.174 INFO Load plugins index
06:24:24.457 INFO Load plugins index (done) | time=283ms
06:24:24.458 INFO Load/download plugins
06:24:27.490 INFO Load/download plugins (done) | time=3033ms
06:24:27.617 INFO Loaded core extensions: developer-scanner
06:24:28.021 INFO Process project properties
06:24:28.035 INFO Process project properties (done) | time=14ms
06:24:28.049 INFO Project key: spliceforms-stitch_stitch-scrutiny_031dda92-db57-4e3b-b2d8-da4c89e9f8f9
06:24:28.049 INFO Base dir: /home/runner/work/stitch-scrutiny/stitch-scrutiny
06:24:28.051 INFO Working dir: /home/runner/work/stitch-scrutiny/stitch-scrutiny/.scannerwork
06:24:28.064 INFO Load project settings for component key: 'spliceforms-stitch_stitch-scrutiny_031dda92-db57-4e3b-b2d8-da4c89e9f8f9'
06:24:28.334 INFO Load project settings for component key: 'spliceforms-stitch_stitch-scrutiny_031dda92-db57-4e3b-b2d8-da4c89e9f8f9' (done) | time=269ms
06:24:28.364 INFO Load project branches
06:24:28.620 INFO Load project branches (done) | time=255ms
06:24:28.622 INFO Load branch configuration
06:24:28.625 INFO Detected branch/PR in 'GitHub Action'
06:24:28.625 INFO Auto-configuring pull request '217'
06:24:28.629 INFO Load branch configuration (done) | time=7ms
06:24:28.657 INFO Load quality profiles
06:24:29.030 INFO Load quality profiles (done) | time=370ms
06:24:29.048 INFO Auto-configuring with CI 'Github Actions'
06:24:29.116 INFO Load active rules
06:24:30.491 INFO Load active rules (done) | time=1376ms
06:24:30.500 INFO Load analysis cache
06:24:31.136 INFO Load analysis cache | time=635ms
06:24:31.880 INFO Pull request 217 for merge into release/express-e2 from poc/PD-32-sonar-scan
06:24:31.905 INFO Preprocessing files...
06:24:32.189 INFO 1 language detected in 83 preprocessed files (done) | time=285ms
06:24:32.191 INFO 14 files ignored because of inclusion/exclusion patterns
06:24:32.191 INFO 0 files ignored because of scm ignore settings
06:24:32.196 INFO Loading plugins for detected languages
06:24:32.196 INFO Load/download plugins
06:24:42.829 INFO Load/download plugins (done) | time=10631ms
06:24:43.182 INFO Load project repositories
06:24:43.520 INFO Load project repositories (done) | time=337ms
06:24:43.523 INFO SCM collecting changed files in the branch
06:24:43.667 INFO Merge base sha1: 77a4d24383e5207747b2bf895fe38dc797caafc8
06:24:43.689 INFO SCM collecting changed files in the branch (done) | time=164ms
06:24:43.721 INFO Indexing files...
06:24:43.723 INFO Project configuration:
06:24:43.723 INFO Excluded sources: **/src/test/**
06:24:43.723 INFO Excluded tests: **/src/test/**
06:24:43.726 INFO Excluded sources for coverage: **/src/test/**
06:24:43.726 INFO Excluded sources for duplication: **/src/test/**
06:24:43.762 INFO 83 files indexed (done) | time=39ms
06:24:43.765 INFO Quality profile for java: sf-sonar-way
06:24:43.765 INFO ------------- Run sensors on module stitch-scrutiny
06:24:43.895 INFO Load metrics repository
06:24:44.184 INFO Load metrics repository (done) | time=288ms
06:24:45.692 INFO Sensor JavaSensor [java]
06:24:45.727 INFO The Java analyzer is running in a context where unchanged files can be skipped. Full analysis is performed for changed files, optimized analysis for unchanged files.
06:24:45.997 INFO Server-side caching is enabled. The Java analyzer was able to leverage cached data from previous analyses for 0 out of 83 files. These files will not be parsed.
06:24:46.002 INFO Using ECJ batch to parse 83 Main java source files with batch size 104 KB.
06:24:46.355 INFO Starting batch processing.
06:24:51.948 INFO 100% analyzed
06:24:51.948 INFO Batch processing: Done.
06:24:51.953 INFO Optimized analysis for 83 of 83 files.
06:24:52.104 WARN Dependencies/libraries were not provided for analysis of SOURCE files. The 'sonar.java.libraries' property is empty. Verify your configuration, as you might end up with less precise results.
06:24:52.112 WARN Unresolved imports/types have been detected during analysis. Enable DEBUG mode to see them.
06:24:52.116 WARN Use of preview features have been detected during analysis. Enable DEBUG mode to see them.
06:24:52.116 INFO No "Test" source files to scan.
06:24:52.116 INFO No "Generated" source files to scan.
06:24:52.116 INFO Sensor JavaSensor [java] (done) | time=6424ms
06:24:52.116 INFO Sensor JaCoCo XML Report Importer [jacoco]
06:24:52.130 INFO Importing 1 report(s). Turn your logs in debug mode in order to see the exhaustive list.
06:24:52.359 INFO Sensor JaCoCo XML Report Importer [jacoco] (done) | time=242ms
06:24:52.362 INFO Sensor IaC hadolint report Sensor [iac]
06:24:52.362 INFO Sensor IaC hadolint report Sensor [iac] (done) | time=1ms
06:24:52.365 INFO Sensor Java Config Sensor [iac]
06:24:52.369 INFO There are no files to be analyzed for the Java language
06:24:52.370 INFO Sensor Java Config Sensor [iac] (done) | time=10ms
06:24:52.370 INFO Sensor IaC Docker Sensor [iac]
06:24:52.370 INFO Sensor IaC Docker Sensor is restricted to changed files only
06:24:52.373 INFO There are no files to be analyzed for the Docker language
06:24:52.373 INFO Sensor IaC Docker Sensor [iac] (done) | time=2ms
06:24:52.373 INFO Sensor IaC GitHub Actions Sensor [iac]
06:24:52.373 INFO There are no files to be analyzed for the GitHub Actions language
06:24:52.373 INFO Sensor IaC GitHub Actions Sensor [iac] (done) | time=0ms
06:24:52.374 INFO Sensor IaC Shell Sensor [iac]
06:24:52.374 INFO There are no files to be analyzed for the Shell language
06:24:52.374 INFO Sensor IaC Shell Sensor [iac] (done) | time=0ms
06:24:52.375 INFO Sensor ThymeLeaf template sensor [securityjavafrontend]
06:24:52.376 INFO Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=5ms
06:24:52.376 INFO Sensor JavaAndroidConfigurationSensor [securityjavafrontend]
06:24:52.377 INFO Sensor JavaAndroidConfigurationSensor [securityjavafrontend] (done) | time=1ms
06:24:52.380 INFO Sensor SurefireSensor [java]
06:24:52.380 INFO parsing [/home/runner/work/stitch-scrutiny/stitch-scrutiny/target/surefire-reports]
06:24:52.520 INFO Sensor SurefireSensor [java] (done) | time=141ms
06:24:52.520 INFO Sensor DBD/Java IR Generation [dbdjavafrontend]
06:24:52.709 INFO Sensor DBD/Java IR Generation [dbdjavafrontend] (done) | time=190ms
06:24:52.709 INFO Sensor javabugs [dbd]
06:24:53.228 INFO Analyzing 694/968 functions to detect bugs.
06:24:54.582 INFO Sensor javabugs [dbd] (done) | time=1872ms
06:24:54.583 INFO Sensor pythonbugs [dbd]
06:24:54.585 INFO No IR files have been included for analysis.
06:24:54.585 INFO Sensor pythonbugs [dbd] (done) | time=2ms
06:24:54.585 INFO Sensor DeveloperTextAndSecretsSensor [textdeveloper]
06:24:54.585 INFO Sensor DeveloperTextAndSecretsSensor is restricted to changed files only
06:24:54.596 INFO Available processors: 2
06:24:54.596 INFO Using 2 threads for analysis.
06:24:55.291 INFO Start fetching files for the text and secrets analysis
06:24:55.304 INFO Using Git CLI to retrieve dirty files
06:24:55.337 INFO Retrieving language associated files and files included via "sonar.text.inclusions" that are tracked by git
06:24:55.337 INFO There are no files to be analyzed for the text and secrets analysis
06:24:55.337 INFO Start fetching files for the binary file analysis
06:24:55.338 INFO There are no files to be analyzed for the binary file analysis
06:24:55.342 INFO Sensor DeveloperTextAndSecretsSensor [textdeveloper] (done) | time=757ms
06:24:55.342 INFO Sensor JavaSecuritySensor [security]
06:24:55.351 INFO 29 taint analysis rules enabled.
06:24:55.769 INFO Analyzing 337 UCFGs to detect vulnerabilities.
06:24:58.498 INFO No entry points found.
06:24:58.507 INFO java security sensor: Begin: 2026-05-21T06:24:55.345719492Z, End: 2026-05-21T06:24:58.502635259Z, Duration: 00:00:03.156
Load type hierarchy and UCFGs: Begin: 2026-05-21T06:24:55.350474851Z, End: 2026-05-21T06:24:55.768941999Z, Duration: 00:00:00.418
Load type hierarchy: Begin: 2026-05-21T06:24:55.350491411Z, End: 2026-05-21T06:24:55.441592397Z, Duration: 00:00:00.091
Load UCFGs: Begin: 2026-05-21T06:24:55.441841761Z, End: 2026-05-21T06:24:55.768844818Z, Duration: 00:00:00.327
Check cache: Begin: 2026-05-21T06:24:55.769070588Z, End: 2026-05-21T06:24:55.769753451Z, Duration: 00:00:00.000
Load cache: Begin: 2026-05-21T06:24:55.769405051Z, End: 2026-05-21T06:24:55.769493827Z, Duration: 00:00:00.000
Create runtime call graph: Begin: 2026-05-21T06:24:55.769796761Z, End: 2026-05-21T06:24:55.849963922Z, Duration: 00:00:00.080
Variable Type Analysis #1: Begin: 2026-05-21T06:24:55.770583086Z, End: 2026-05-21T06:24:55.819613104Z, Duration: 00:00:00.049
Create runtime type propagation graph: Begin: 2026-05-21T06:24:55.771342140Z, End: 2026-05-21T06:24:55.806495778Z, Duration: 00:00:00.035
Run SCC (Tarjan) on 1726 nodes: Begin: 2026-05-21T06:24:55.807005548Z, End: 2026-05-21T06:24:55.812152716Z, Duration: 00:00:00.005
Propagate runtime types to strongly connected components: Begin: 2026-05-21T06:24:55.812239027Z, End: 2026-05-21T06:24:55.819551800Z, Duration: 00:00:00.007
Variable Type Analysis #2: Begin: 2026-05-21T06:24:55.822339463Z, End: 2026-05-21T06:24:55.848491008Z, Duration: 00:00:00.026
Create runtime type propagation graph: Begin: 2026-05-21T06:24:55.822344513Z, End: 2026-05-21T06:24:55.841805674Z, Duration: 00:00:00.019
Run SCC (Tarjan) on 1726 nodes: Begin: 2026-05-21T06:24:55.841934875Z, End: 2026-05-21T06:24:55.844211967Z, Duration: 00:00:00.002
Propagate runtime types to strongly connected components: Begin: 2026-05-21T06:24:55.844267881Z, End: 2026-05-21T06:24:55.848421849Z, Duration: 00:00:00.004
Load config: Begin: 2026-05-21T06:24:55.850016159Z, End: 2026-05-21T06:24:58.416767423Z, Duration: 00:00:02.566
Compute entry points: Begin: 2026-05-21T06:24:58.417019563Z, End: 2026-05-21T06:24:58.494857737Z, Duration: 00:00:00.077
06:24:58.507 INFO java security sensor peak memory: 602 MB
06:24:58.508 INFO Sensor JavaSecuritySensor [security] (done) | time=3165ms
06:24:58.513 INFO ------------- Run sensors on project
06:24:58.634 INFO Sensor JavaProjectSensor [java]
06:24:58.638 INFO Sensor JavaProjectSensor [java] (done) | time=5ms
06:24:58.641 INFO Sensor JavaArchitectureSensor [architecture]
06:24:58.654 INFO Architecture analysis is enabled with the following features: legacy
06:24:58.659 INFO * Protobuf reading starting | memory total=595 | free=101 | used=493 (MB)
06:24:58.664 INFO * Reading SonarArchitecture UDG data from directory "/home/runner/work/stitch-scrutiny/stitch-scrutiny/.scannerwork/architecture/java"
06:24:58.932 INFO * Files successfully loaded: "83" out of "83"
06:24:58.932 INFO * Purging externals (components not scanned) from graphs
06:24:58.940 INFO * Purging excluded nodes from graphs
06:24:58.949 INFO * Protobuf reading complete | memory total=595 | free=350 | used=244 (MB)
06:24:58.998 INFO * Build architecture.graph.java.namespace_graph.default_perspective hierarchy graph complete (filtered=false) | memory total=595 | free=345 | used=249 (MB)
06:24:59.013 INFO Sensor JavaArchitectureSensor [architecture] (done) | time=374ms
06:24:59.013 INFO Sensor Zero Coverage Sensor
06:24:59.017 INFO Sensor Zero Coverage Sensor (done) | time=3ms
06:24:59.017 INFO Sensor Java CPD Block Indexer
06:24:59.149 INFO Sensor Java CPD Block Indexer (done) | time=133ms
06:24:59.151 INFO ------------- Gather SCA dependencies on project
06:24:59.156 INFO Dependency analysis skipped
06:24:59.170 INFO CPD Executor 40 files had no CPD blocks
06:24:59.172 INFO CPD Executor Calculating CPD for 43 files
06:24:59.207 INFO CPD Executor CPD calculation finished (done) | time=33ms
06:24:59.213 INFO SCM revision ID '5a62824a1914617904ac5f341e0cf98534e68157'
06:24:59.358 INFO SCM writing changed lines
06:24:59.367 INFO Merge base sha1: 77a4d24383e5207747b2bf895fe38dc797caafc8
06:24:59.367 INFO SCM writing changed lines (done) | time=9ms
06:24:59.379 INFO Analysis report generated in 159ms, dir size=498.9 kB
06:24:59.467 INFO Analysis report compressed in 90ms, zip size=116.4 kB
06:25:00.047 INFO Analysis report uploaded in 580ms
06:25:00.049 INFO ------------- Check Quality Gate status
06:25:00.049 INFO Waiting for the analysis report to be processed (max 300s)
06:25:27.015 INFO QUALITY GATE STATUS: PASSED - View details on ***dashboard?id=spliceforms-stitch_stitch-scrutiny_031dda92-db57-4e3b-b2d8-da4c89e9f8f9&pullRequest=217
06:25:27.043 INFO Analysis total time: 59.428 s
06:25:27.044 INFO SonarScanner Engine completed successfully
06:25:27.432 INFO EXECUTION SUCCESS
06:25:27.434 INFO Total time: 1:13.296s
Let me know more details are required
