Hey folks, we are using sonarcloud for sec vul scans and keeping our code quality high. We use https://github.com/SonarSource/sonarcloud-github-action but whenever we create new PR with very small change, it also considers code merged in main branch to be “new code” and fails. Has anyone ever bumped into this issue?
Meaning
Let’s say author A changed 10 files and merged to main branch with little less coverage than required in master.
Author B creates a PR with only 1 liner change, sonarcloud would fail pointing that “10 (from main)+1=11” files require tests for it to pass while it should only care about what’s changed in the PR.
I wonder why would this mess SonarCloud up? The reason why we are doing it is because we only want to create report for files changed in the PR and not all codebase. If we do not do that Sonarcloud runs all the jest test which takes really really long time. Also shouldn’t fetch-depth:1 only pull one commit and then the surface area for sonarcloud be small (just trying to understand how sonarcloud works, I know it should not be 1)
SonarCloud runs a full analysis even when only a few files have changed, and filters the results down to the changed files/lines at the end. We’re hoping to improve this soon so that unchanged files are skipped when possible. At the same time – it’s probably a good practice to run all of your tests for a codebase to make sure changes in one place didn’t affect other parts of your code.