GitHub Actions + SonarQube

Set up an instance of SonarQube and integrate it with GitHub actions

Roopal Jasnani
5 min readSep 21, 2023

Introduction

SonarQube is the leading tool for continuously inspecting the Code Quality and Security of your codebases and guiding development teams during Code Reviews. It is popularly used by developers to write cleaner and safer code.
With the need to have a self-hosted instance of SonarQube for continuous and automatic code analysis, this is how we achieved it.

Pre-requisites: Docker, DigitalOcean(or any other preferred cloud provider) and a common macOS/Linux terminal knowledge will suffice.

Let’s start!

1. Create a Digital Ocean Droplet

Login/signup to your DigitalOcean account and from the control panel, create a Droplet. The bare minimum configuration that fulfils SonarQube’s requirements lands us with an Ubuntu machine with 4 GB of RAM. A run-down on the specifications is as follows:

  • Image: Distribution — Ubuntu 20.04 (LTS) x64
  • Plan: Shared CPU — Basic(Regular Intel) — $20/month (4 GB/2 vCPU, 80 GB SSD disk, 4TB transfer).
    Note: The cheaper versions might not work because SonarQube requires at least 2 GB of RAM and 1GB of RAM for the OS. Read more on the minimum requirements here.
  • Block Storage: None
  • Datacenter Region: Choose one that suits you.
  • VPC Network: No VPC
  • Additional Options: Left all options unticked
  • Authentication: SSH keys.
    Note: It is highly recommended that you use SSH keys to authenticate. Click on “New SSH Key” and follow the instructions on the screen to create and add an SSH key to your DigitalOcean account.
  • Finalize and Create: Just create one Droplet. You may also want to Enable backups.
    Note the additional cost.

Further help on creating a droplet can be found here.

2. Connect to the droplet through the terminal

Once the droplet is up, click on it to get its IP. Open a terminal on your machine and connect to the droplet using SSH as -

ssh root@<droplet_ip_address>

Once your authenticity is verified, you will be able to access the remote machine.
Preferably a good first step would be to cater to the updates.

sudo apt update
sudo apt ugrade

3. Install Docker

Based on the docker documentation, the following are the steps for installation:

▹ Remove any old versions of Docker:

sudo apt-get remove docker docker-engine docker.io containerd runc

▹ Install packages to allow apt to use a repository over HTTPS:

sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common

▹ Add Docker’s official GPG key:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

▹ Add the stable repository:

sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"

▹ Install the packages:

sudo apt-get install docker-ce docker-ce-cli containerd.io

4. Setup the DB — Postgres

Although it is possible to evaluate SonarQube with the embedded database that ships with it, it is highly recommended that you set up an external database as the embedded database will not support upgrading SonarQube or migrating your data to a different database engine. A list of databases that are supported can be found here.

▹ Going forward with Postgres, first, create a Docker network.

docker network create sonarnet

▹ Spin up a Postgres container

docker run -d \
--name sonar-postgres \
-p 5432:5432 \
-e POSTGRES_USER=sonarqube \
-e POSTGRES_PASSWORD=sonarqube \
-e PGDATA=/var/lib/postgresql/data/pgdata \
-v /custom/mount:/var/lib/postgresql/data \
--net sonarnet \
postgres:13

5. Spin up SonarQube

Based on Sonarqube's documentation, the following are the necessary steps:

▹ Create the required volumes:

docker volume create --name sonarqube_data
docker volume create --name sonarqube_extensions
docker volume create --name sonarqube_logs

▹ Spin up a SonarQube container:

docker run -d \
--name sonarqube \
-p 9000:9000 \
-e SONAR_JDBC_URL=jdbc:postgresql://sonar-postgres:5432/sonarqube \
-e SONAR_JDBC_USERNAME=sonarqube \
-e SONAR_JDBC_PASSWORD=sonarqube \
-v sonarqube_data:/opt/sonarqube/data \
-v sonarqube_extensions:/opt/sonarqube/extensions \
-v sonarqube_logs:/opt/sonarqube/logs \
--net sonarnet \
sonarqube:lts-community

▹Verify that both the images are added and running using:

docker ps -a
docker ps

If you cannot see sonarqube running from the above step inspects the logs using:

docker logs -f sonarqube

A high probability is that an issue with the max virtual memory limit will be shown. It can be fixed using:

sysctl -w vm.max_map_count=262144

▹ Restart sonarqube

docker start sonarqube

If you are unable to access sonar from the droplet IP (http://<droplet_ip_address>:9000), it could probably be an issue with the firewall blocking the access. Run the following and then restart SonarQube from docker.

ufw allow 9000
ufw allow 22
ufw enable

✪ Sonar should now be running on http://<droplet_ip_address>:9000. Log in with the default username admin and password admin.

6. Add your project(s) to Sonar

Sonar would by default be allowing us to add our projects manually. So we would need to add the GitHub configuration to import our GitHub repositories to SonarQube. Follow the steps in this document.

● Create an app on GitHub following Step 1 from the above link.

● Install the created app using Step 2

● Link the App on SonarQube using Step 3

GitHub App Configuration

Now when you try to add a project, the option to add via GitHub should be enabled with the available repositories.

7. Configure automatic analysis with GitHub actions

SonarQube needs to be set up to run analysis automatically on code pushes through GitHub actions. This is a 2-step process.

▹ Create GitHub Secrets

We need to add 2 secrets( SONAR_TOKEN , SONAR_HOST_URL) generated by Sonar to GitHub repository settings.

Setting up Sonar token & URL on GitHub Secrets

▹ Add sonar-project.properties to your project

Create a sonar-project.properties file in your repository with the following value:

sonar.projectKey=<username>_<reponame>

▹ Set up a workflow YAML file

Create or update your .github/workflows/build.yml YAML file with the following content:

name: Sonar Analysis
on:
push:
branches:
- master # or the name of your main branch

jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: docker://sonarsource/sonar-scanner-cli:latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

And, that’s it. We are good to go !!

Commit and push your code on the configured branch. It will automatically trigger analysis and detailed reports can be accessed on the Sonar dashboard.

--

--