Scanner not picking up on our k8s YAML/YML files

SonarCloud
1

Context:

  • GitLab using
  • GitLab-CI
  • default scanner command from gitlab-ci.yml
  • repo uses yml, yaml, json, .tpl and .secrets files
  • private project, sorry
  • Error observed:
INFO: 106 files indexed
INFO: 0 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for json: SonarQube Way
INFO: Quality profile for yaml: Sonar way
INFO: ------------- Run sensors on module k8s-cloud-config
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=82ms
INFO: Sensor IaC CloudFormation Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC CloudFormation Sensor [iac] (done) | time=1539ms
INFO: Sensor IaC Kubernetes Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC Kubernetes Sensor [iac] (done) | time=786ms
INFO: Sensor C# Project Type Information [csharp]
INFO: Sensor C# Project Type Information [csharp] (done) | time=1ms
INFO: Sensor C# Analysis Log [csharp]
INFO: Sensor C# Analysis Log [csharp] (done) | time=18ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=0ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor Text Sensor [text]
INFO: 99 source files to be analyzed
INFO: 99/99 source files have been analyzed
  • Steps to reproduce
    • Trigger a new scan on the default branch

I am wondering why the scanner picks up 106 files but the Kubernetes sensor doesn’t see or recognize any of them? ¯_(ツ)_/¯

What’s wrong on the syntax of these files?
Could it be that it’s thrown off by the templating instructions

{{- if .Values.prometheusRule.enabled }}
2

Hey there.

  • In your Project-level Administration > Kubernetes, is sonar.kubernetes.activate activated?
  • If yes, can you upload a sample file you expect to be indexed by the scanner and analyzed, that isn’t? Feel free to redact sensitive information – just make sure the non-analysis can be reproduced.
3

Yes, that’s activated, which is the default.

It doesn’t seem to find any files in the project. Here is the default properties file:

sonar.projectKey=ABC
sonar.organization=xyz

# This is the name and version displayed in the SonarCloud UI.
sonar.projectName=a-b-c
#sonar.projectVersion=1.0

# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
#sonar.sources=.

# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8

A sample chart

apiVersion: v2
name: "prod-apps"
type: "application"
version: "0.1.0"
appVersion: "1.2.3"
description: Production Self Service
dependencies:
  - name: "platform"
    version: "0.8.6"
    repository: "https://example.com/repo-stable"
  - name: "resources"
    version: "0.1.0"
    repository: "https://example.com/repo-stable"

and

axual-operator:
  watchAnyNamespace: true
  createGlobalResources: true
  resources:
    limits:
      memory: 1024Mi
      cpu: 2000m
    requests:
      memory: 1024Mi
      cpu: 200m
  image:
    imagePullSecrets: sensitive
5

If I recall correctly sonarqube does not scan Helm template files (Collin will probably correct me if I’m wrong) .

You can render them before scanning tho using the Helm template functionality

1 Like
6

Yes I was aware of templates causing interpretation issues. Thanks for the reminder that I can render them! :+1:

But the above examples are not with templates. They’re straight forward k8s values.yaml files AFAIK

8

Any word on why the scanner is not picking the other non-templated files such as “values.yaml”?

9

Hello @dreams,

as @DefinitelyNotTobi already mentioned we only analyze Kubernetes YAML files. These must contain the required fields to be recognized as valuable Kubernetes files.

What information does the values.yaml file contain and what analysis results do you expect? Please also take a look at the rules we currently provide for Kubernetes files.

Best,
Nils