Sonar scans of PR (Java)

We have an Open Source project, Egeria GitHub - odpi/egeria: Open Metadata and Governance
Our ‘regular’ build pipeline is now via Github actions - we build with both maven and gradle (migrating to)
We do various builds triggered off a PR, and a few more (like updating snapshots) from merge

We still have a few ‘old’ pipelines on Azure DevOps, including a sonar build for sonarcloud (maven). This also captures code coverage from tests. It’s triggered off a merge

In the last year we’ve tried out GitHub’s ‘codeQL’ and integrated into our github actions/PR pipeline. This is nice as the dev gets results in-situ. However reviewing the backlog is unusable (just a list in github) and the detection of errors is not very good.

I’m wondering if we can get SonarCloud working in the same way? ie to insert PR-specific results
into the checks output / PR review.

I see automatic analysis isn’t supported for java, so this needs to be CI driven?
Ideally github action, but could be Azure devops too if we had to…!

Is it possible?


Hi, we are using Sonarcloud also with our open source project JUnit pioneer.

There is the option, that Sonarcloud comments on a MR see Add timeout to main build (#322) by beatngu13 · Pull Request #323 · junit-pioneer/junit-pioneer · GitHub . But overall the configuration has some downsides with forks.

  1. you need to provide the token for forks, hence that you can not store it in a secret.
  2. if somebody in a fork opens a pr within this fork, you might get a comment on the main repository with an pull request with the same ID (quiet annoying, thats why we turned off this information)
  3. you can also wait for the quality gate to fail when you run a github action, so you get some kind of breaking build.

I hope this helps a little bit :slight_smile:

Hello @planetf1 ,

It is possible (and highly encouraged!) to analyze pull requests with SonarCloud. We provide high-level feedback directly inside the PR as well. You can find more information around the GitHub integration here.
Yes, in your case it will be CI driven, and it is very easy to set it up with Maven or Gradle.

As @simon.schrottner mentioned, analysis of external pull requests (e.g. from forks) is currently a bit difficult. You can follow this item on our roadmap for updates regarding this feature.