Back to Garden
Ecosystem|January 10, 2023

Accelerating Code Analysis with SonarCloud and GitHub Actions

#Java#GitHubActions#DevOps

In the world of software development, ensuring that the code we produce is high-quality, maintainable, and secure is critical. As the size…

In the world of software development, ensuring that the code we produce is high-quality, maintainable, and secure is critical. As the size and complexity of our codebase grow, it becomes increasingly difficult to manually keep track of all the different aspects that need to be considered. This is where automated code analysis tools come into play, allowing us to quickly identify potential issues in our code and address them before they cause any problems.

One of the most popular platforms for automating code analysis is GitHub Actions. In this article, we’ll explore a simple example of how to set up automated code analysis for a Java-based backend project using SonarCloud and GitHub Actions.

Step 1: Checkout the code

The first step in any automated process is to check out the code that needs to be analyzed. For this, we’ll use the actions/checkout@v2 GitHub Action. This action allows us to easily retrieve the code from our GitHub repository, including any relevant branches or pull requests.

steps:  
  - uses: actions/checkout@v2  
    with:

fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

Step 2: Set up the Java Development Kit (JDK)

In order to run our code analysis, we need to make sure that we have the appropriate JDK installed. For this example, we’ll be using JDK 17, which can be easily set up using the actions/setup-java@v2 GitHub Action.

  - name: Set up JDK 17  
    uses: actions/setup-java@v2  
    with:  
      distribution: 'temurin'

java-version: '17'

Step 3: Cache SonarCloud packages

In order to improve the performance of our code analysis, we can cache certain packages and dependencies so that they don’t need to be downloaded each time we run our analysis. This is particularly useful for large packages like SonarCloud, which can take a significant amount of time to download.

  - name: Cache SonarCloud packages  
    uses: actions/cache@v1  
    with:  
      path: ~/.sonar/cache  
      key: ${{ runner.os }}-sonar  
      restore-keys: ${{ runner.os }}-sonar

Step 4: Cache Maven packages

Similarly, we can cache Maven packages and dependencies to improve the performance of our analysis. Maven is a popular build automation tool used by many Java-based projects, and caching its packages can significantly reduce the time it takes to run our analysis.

  - name: Cache Maven packages  
    uses: actions/cache@v1  
    with:  
      path: ~/.m2  
      key: ${{ runner.os }}-m2-${{ hashFiles('\*\*/pom.xml') }}  
      restore-keys: ${{ runner.os }}-m2

Step 5: Build and analyze

Finally, it’s time to run our code analysis. For this example, we’ll be using Maven and the SonarCloud plugin for Maven to build and analyze our code. This will allow us to easily see any potential issues in our code, as well as get valuable insights into the quality and maintainability of our codebase.

  - name: Build and analyze  
    working-directory: ./backend  
    env:  
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  \# Needed to get PR information, if any  
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}  
    run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=<project-key>

In this step, we’re setting the working directory to ./backend, as our backend code is stored in this directory. We’re also setting two environment variables, GITHUB_TOKEN and SONAR_TOKEN, which are needed to retrieve information about the pull request and access SonarCloud, respectively. Finally, we’re running the Maven command to build and analyze our code using the SonarCloud plugin.

The Full Code

Here’s the full code for this example, including all the steps we’ve gone through:

jobs:  
  sonar-backend:  
    name: sonar-backend  
    runs-on: ubuntu-latest  
    steps:  
      - uses: actions/checkout@v2  
        with:  
          fetch-depth: 0  \# Shallow clones should be disabled for a better relevancy of analysis  
      - name: Set up JDK 17  
        uses: actions/setup-java@v2  
        with:  
          distribution: 'temurin'  
          java-version: '17'  
      - name: Cache SonarCloud packages  
        uses: actions/cache@v1  
        with:  
          path: ~/.sonar/cache  
          key: ${{ runner.os }}-sonar  
          restore-keys: ${{ runner.os }}-sonar  
      - name: Cache Maven packages  
        uses: actions/cache@v1  
        with:  
          path: ~/.m2  
          key: ${{ runner.os }}-m2-${{ hashFiles('\*\*/pom.xml') }}  
          restore-keys: ${{ runner.os }}-m2  
      - name: Build and analyze  
        working-directory: ./backend  
        env:  
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  \# Needed to get PR information, if any  
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}  
        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=<project-key>

Conclusion

Automated code analysis is a powerful tool that can help us ensure that our code is of high quality, maintainable, and secure. With GitHub Actions, setting up automated code analysis is simple and straightforward, allowing us to quickly identify potential issues and address them before they cause any problems. By following the steps outlined in this article, you’ll be able to easily set up automated code analysis for your own Java-based backend projects using SonarCloud and GitHub Actions.