SonarCloud PR Commenting Issue for Terraform Code in Azure DevOps

We have integrated SonarCloud with our Azure DevOps pipeline to analyze code quality and security vulnerabilities across different languages, including JavaScript and Terraform. While SonarCloud successfully identifies and comments on issues for JavaScript code in Pull Requests (PRs), it does not seem to be commenting on Terraform-related issues, even though the issues are visible in the SonarCloud dashboard.

Observations:

  1. Terraform Issues Detected in SonarCloud Dashboard

    • SonarCloud correctly identifies Terraform issues, such as security risks (e.g., admin_enabled=true in Azure resources).
    • The issues are listed in SonarCloud under Security Hotspots, Maintainability, and Code Smells sections.
  2. No PR Comments for Terraform Issues in Azure DevOps

    • Unlike JavaScript, where SonarCloud comments directly in the PR when an issue is detected, Terraform-related issues are not being reflected in the PR.
    • This creates a gap in developer awareness and feedback since issues need to be manually checked in SonarCloud instead of being flagged in the PR.

Example Case:

  • We committed the following Terraform code that violates security best practices:
   ```hcl
   resource "azurerm_container_registry" "example" {
     name          = "example"
     admin_enabled = true  # Sensitive: Enabling admin accounts is a security risk.
   }
- SonarCloud correctly flagged this in the dashboard as a security-sensitive issue.  
- However, no comments appeared in the associated Azure DevOps PR.  

### **Expected Behavior:**  
- Similar to JavaScript, Terraform-related issues should also be **commented directly in the PR** by SonarCloud when an issue is detected.  
- This ensures **consistent issue tracking and enforcement of security/compliance rules across all languages** in our codebase.  

### **Request for Assistance:**  
Could you please confirm if:  
- **SonarCloud supports PR commenting for Terraform issues in Azure DevOps?**  
- **Any additional configuration is required to enable PR commenting for Terraform-related findings?**  
- **There are known limitations or workarounds for this issue?**  

We would appreciate your guidance on resolving this discrepancy to maintain a unified code quality enforcement process. 
 

Project Identification

sonar.projectKey=
sonar.organization=<>
sonar.projectName=<>
sonar.projectVersion=1.0

New Code Definition

sonar.newCode.referenceBranch=main
sonar.qualitygate.wait=false

Source Files

sonar.sources=.
sonar.exclusions=/.terraform/,/*.tfstate,/*.tfstate.backup

Language-Specific Settings

sonar.lang.patterns.generic=*.tf
sonar.generic.exclusions=/.terraform/

TFLint Report Path

sonar.terraform.tfLint.reportPaths=reports/tflint-report.json

Pull Request Analysis

sonar.pullrequest.provider=Azure DevOps
sonar.pullrequest.key=${System.PullRequest.PullRequestId}
sonar.pullrequest.branch=${Build.SourceBranchName}
sonar.pullrequest.base=${System.PullRequest.TargetBranch}

SCM Settings

sonar.scm.provider=git

Encoding

sonar.sourceEncoding=UTF-8


**# Issue: TFLint report is not appearing in the SonarCloud dashboard**
# Even though we have provided the correct path, the report is not being recognized.
# Warning seen in logs: "INFO  SonarQube Cloud: Analysis succeeded with warning: 
# TFLint report importing: path does not seem to point to a file /home/vsts/work/1/s/reports/tflint-report.json"

Looking forward to your response.

Hi,

Welcome to the community and thanks for this report!

Is that Security Hotspot raised in full branch analysis? I’m trying to understand whether this is a general false-negative or whether it’s specific to the PR context.

 
Thx,
Ann

Thanks for the welcome! We’ve confirmed the exists in the main branch analysis in SonarCloud. However, we’re not seeing any SonarCloud issues (Hotspots, Code Smells, etc.) in our Azure DevOps Pull Requests. Could there be a configuration issue preventing the integration between SonarCloud and Azure DevOps for PR analysis?

We’re also hitting a snag with TFLint. The SonarCloud logs show this warning: “TFLint report importing: path does not seem to point to a file /home/vsts/work/1/s/reports/tflint-report.json”. We’ve checked the file path, and the report is present at that location in our build environment. Any ideas on what might be causing this discrepancy? Perhaps a permissions issue or something related to how the file is being generated?

Hi,

We try to keep it to one topic per thread. Otherwise it can get messy, fast. Let’s focus here on the missing Security Hotspots and issues in your PR.

And to be clear, this is not just a single Security Hotspot false negative at this point, but it extends to all types of issues being missing from your PR?

Is it that you’re not seeing them in ADO but you do see them in SonarCloud? Or you don’t see issues anywhere?

 
Thx,
Ann

Hi Ann

Thanks for the clarification. I can confirm that I am seeing the issues reported in SonarCloud directly (for example, the “Omitting ‘enable_rbac_authorization’” issue you mentioned). However, these annotations are not showing up in the Azure DevOps Pull Request.

Hi,

Are you expecting each issue / hotspot to be annotated at the line level in the PR? We just don’t do that.

 
Ann