8

I want to use SonarQube to analyze any pull request (PR) made to my project.

Few quick points:

  • My project is hosted on Github, it is public, is written in C#, and I'm using Appveyor for continues integration (CI);
  • I am using SonarCloud (a public instance of SonarQube) for code quality check, and it already does a fantastic job analyzing internal PRs (i.e., the PRs made from main repository, e.g., merge dev branch on master branch);
  • I want this to analyze external PRs (i.e., PRs made from arbitrary forks of my project), which is possible using SonarQube Github plugin;
  • and most importantly: I am not gonna put my API keys on any public file, and Appveyor is not gonna expose my secured tokens on public PRs.

Given these points, this is what I did:

  • created a bot and gave it write access to my repo (as explained here);
  • on the sonarcloud and under Administration -> Settings -> Pull Requests (Alpha), I set the Authentication token with the bot's token and set the Repository identifier with my repo address in the <Organization>/<Repo> format;
  • Update the appveyor.yml file of my project so to run SonarQube analysis on all PRs; similar to the following: 
build_script:
choco install "msbuild-sonarqube-runner" -y
MSBuild.SonarQube.Runner.exe begin /k:"REPO" /o:"ORGANIZATION" /d:"sonar.host.url=https://sonarcloud.io" /d:"sonar.analysis.mode=preview"
MSBuild.exe /t:Rebuild
MSBuild.SonarQube.Runner.exe end

However, still I don't see SonarQube using the bot to comment on new PRs (similar to their demo.

Dr. Strangelove
  • 2,725
  • 3
  • 34
  • 61

2 Answers2

1

The feature you are trying to activate is not ready to be used yet - which is why it is named "Alpha" (Administration -> Settings -> Pull Requests (Alpha)).

In any case, even when this feature is ready, while this will secure your GitHub token because you will save it on SonarCloud only (which is great), you will still have to provide your SonarCloud token to perform the analysis. And as you don't want to unveil your SonarCloud token, you won't be able to analyze external pull requests. Unfortunately, we currently have no solution to solve this limitation.

Fabrice - SonarSource Team
  • 26,535
  • 3
  • 62
  • 58
  • CodeCov has a great solution for analyzing coverage on PRs without exposing API token: if the request is originated from _trusted_ CI services (e.g., Appveyor, Travis, and etc.), then the request will be processed without needing API key. – Dr. Strangelove Feb 16 '18 at 15:28
  • Another point, though it is good that you named the feature with `Alpha` postfix, but I would read it as _this is functional, but is subject to sever changes_. Therefore, it may not be a bad idea to clearly mention on top of this configuration tab that _it is not functional yet_. – Dr. Strangelove Feb 16 '18 at 15:30
0

I am not gonna put my API keys on any public file, and Appveyor is not gonna expose my secured tokens on public PRs.

For solving this issue you can just encrypt the token in appveyor with https://ci.appveyor.com/tools/encrypt.

enter image description here

And copy paste that encrypted value into your appveyor.xml file.

Stef Heyenrath
  • 9,335
  • 12
  • 66
  • 121