Amido Stacks projects use SonarQube for static analysis.
To enable integrations with GitHub and for use in Azure DevOps CI, the results are then hosted and viewable on SonarCloud.
SonarCloud offers quality gates that ensure that your standards are adhered to before deploying.
SonarCloud supports most languages.
Sign up with GitHub to Sonarcloud for the Organisation under test. Review the documentation and setup on how to plugin to GitHub.
Using Jest with SonarCloud
SonarCloud collects the coverage reports generated by Jest in the form of
lcov.info output. Configuration in the
jest.config.json file will include the following for code coverage collection.
To ensure that the
lcov.info reports with relative paths the root
"roots": ["<rootDir>/."] needs to be set. Else then the
lcov report will embed the root directory in the path, and sonar scanner won't be able to map the coverage to the analysed files.
The coverage directory will be where the
lcov reports are generated.
At the root of the package, a
sonar-project.properties configuration file can be created, to pull in the required SonarCloud environment variables, including SonarCloud token, project name, where to collect the code coverage report from, and what files should be excluded from analysis.
For all configuration options see SonarCloud Analysis Parameters.
To pull in the Jest generated code coverage reports, outputted in the SonarCloud supported
lcov.info report, the report path can be set in the
To ensure that SonarCloud doesn't analysis files that are not needed for analysis, please exclude them:
We can run this with Amido Stacks custom container, supports running Sonar Scanner for .NET and NPM projects.
See amidostacks/ci-sonarscanner for the open source image.
Static quality gates
To ensure that all code is meeting the quality standards (i.e. code coverage, bugs, security) then we can implement Quality gate checks from the results of the SonarScanner analysis.
amidostacks/ci-sonarscanner does not fail the pipeline if the quality gate is not passed on SonarCloud. We recommend following one of these implementations:
SonarScanner for Azure Devops or your current pipeline
- Example usage in the open-source build-dotnet.yml template step
Using SonarLint as an IDE extension that helps you detect and fix quality issues as you write code.
[example workspace settings](../.vscode/settings.json)
Github Actions with SonarCloud to automatically run analysis triggered by Github
Another option is to have a task running using the container, making static code analysis a breeze in the pipelines and easy to run locally. For an example on how to use the container to run you static code analysis, see amido/stacks-pipeline-templates
In order to run, the export the followings environment variables for the SonarCloud Project:
First generate the code coverage results but running the unit tests, then run the SonarCloud scanner and push up the results for analysis.