Sonar Scan for .Net Project on GitHub Actions

Hi

Please i really need help on this

Going through the below link

I see that

image

This is confirmed by the below as sonar does not detect .Net in the scan

Below also is my current github action script

on:
  # Trigger analysis when pushing in master or pull requests, and when creating
  # a pull request.
  push:
    branches:
      - master
      - staging
  pull_request:
      types: [opened, synchronize, reopened]
name: SonarCloud
jobs:
  sonarcloud:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:          
        args: >
          -Dsonar.projectKey=xxxxx_xxxxx
          -Dsonar.organization=xxxxx
          -Dsonar.c.file.suffixes=- -Dsonar.cpp.file.suffixes=- -Dsonar.objc.file.suffixes=-
          -Dsonar.exclusions="**/Migrations/*,**/*.c,**/*.cc,**/*.cpp,**/*.h"
        # Disabling shallow clone is recommended for improving relevancy of reporting
        # /Migrations/
        fetch-depth: 0    
    - name: SonarCloud Scan
      uses: sonarsource/sonarcloud-github-action@master
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Hey there.

When you create a new project in SoanrCloud, there’s a tutorial right in the UI.

You can also find it in your project’s Administration > Analysis Method

Hi @Colin ,

I was just praising you for your help so far in my work with sonar to @Silpa .

So i am currently trying this now and i will give a feedback afterwards

Cheer

1 Like

Hi @Colin

Kindly see below

Time Elapsed 00:08:41.28
SonarScanner for MSBuild 6.2
Using the .NET Core version of the Scanner for MSBuild
Post-processing started.
09:15:52.503  sonar-project.properties files are not understood by the SonarScanner for MSBuild. Remove those files from the following folders: D:\a\adora\adora
09:15:52.504  Post-processing failed. Exit code: 1
Error: Process completed with exit code 1.

Mind you I already have a sonar-project.properties

with the below content

sonar.organization=organization_name_in_sonarcloud
sonar.projectKey=project_key_in_sonarcloud

sonar.sources=.

Please help

The error message is pretty clear about what actions to take.

You should instead provide these values as command line arguments to the Scanner. See the docs here.

So they also stated in the yml file for the githb action

run: |
          .\.sonar\scanner\dotnet-sonarscanner begin /k:"xxxxx" /o:"xxxxx" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io"
          dotnet build
          .\.sonar\scanner\dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

should i remove them from the sonar-project.properties file? or remove the file altogether?

Remove the file altogether.

Done and everything seem to be fine

Just that GitHub actions is scanning all the source code with every push

I need to be able to scan only the new changes to the source code

Please how do I achieve that?

Incremental Analysis is supported in the context of analyzing Pull Requests, but not branch analyses.

Hi @Colin
in light of the below

What else do I need to do to ens the scan of the pull request does not result in scanning the whole project again?

Specifically, in the context of a PR analysis, it should work out of the box when you follow the tutorial in the UI! If it’s not, I’d be happy to look at the logs of your job.

Hi @Colin

Many thanks yes i’ve been able to set this up and all that buh there is still a challenge

GH PR still does not stop the merge even when the QG fails

See below

sonarcloud

and here’s the settings on GH

Please what am I missing

Is your project bound?

No it’s not, i use the steps in Analysis Method

As I told you in this thread, you need a GitHub-bound organization

Hi @Colin

Does it mean I can not use the Quality Gates to block merges of new code that fails the quality gates?

If you have a Github-bound organization, sure you can. If not, then no, you cannot decorate the PR with a comment/status check, ultimately used to block the merge.

:slightly_frowning_face:

This is sad. … is there no other way. …

However, for one of my projects, not a .Net project the quality gate works and stops the merge of code that fails.

Please, there should be another way to get these .Net projects to work. …

Why can’t you create a bound GitHub organization?

Maybe you can share a screenshot or whatever is indicating to you that this is working for the non-NET project. Is the non-.NET project on GitHub or Azure DevOps?

All projects are on GitLab and GitHub