Description
Integrate SonarCloud for continuous code quality and security analysis with detailed reports and quality gates.
Benefits
- Automated code review: Detects bugs, code smells, vulnerabilities
- Security analysis: Finds security hotspots and vulnerabilities
- Code coverage tracking: Monitors coverage trends over time
- Quality gates: Block merges that don't meet quality standards
- Free for open source: No cost for public repositories
- Rich metrics: Maintainability, reliability, security ratings
Setup Steps
1. Enable SonarCloud
- Go to https://sonarcloud.io/
- Sign in with GitHub
- Click "Analyze new project"
- Select
FlossWare/jcommons
- Choose "With GitHub Actions"
2. Add Secrets
Add to GitHub repository secrets:
SONAR_TOKEN - Get from SonarCloud dashboard
3. Update GitHub Actions Workflow
Add to .github/workflows/main.yml:
- name: SonarCloud Scan
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
mvn sonar:sonar \
-Dsonar.projectKey=FlossWare_jcommons \
-Dsonar.organization=flossware \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml4. Add Maven Plugin
Add to pom.xml:
<properties>
<sonar.projectKey>FlossWare_jcommons</sonar.projectKey>
<sonar.organization>flossware</sonar.organization>
<sonar.host.url>https://sonarcloud.io</sonar.host.url>
<sonar.coverage.exclusions>
**/SoapUtil.java,
**/SoapUtil$*.java
</sonar.coverage.exclusions>
</properties>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>4.0.0.4121</version>
</plugin>
</plugins>
</pluginManagement>
</build>Quality Gate Configuration
Recommended settings in SonarCloud:
- New Code Coverage: >= 80% (you're at 100%!)
- Duplicated Lines: <= 3%
- Maintainability Rating: A
- Reliability Rating: A
- Security Rating: A
Badge for README
Add to README.md:
[](https://sonarcloud.io/summary/new_code?id=FlossWare_jcommons)
[](https://sonarcloud.io/summary/new_code?id=FlossWare_jcommons)
[](https://sonarcloud.io/summary/new_code?id=FlossWare_jcommons)
What SonarCloud Will Detect
Examples of issues it finds:
- Bugs: NPE risks, incorrect logic, resource leaks
- Vulnerabilities: SQL injection, XXE, insecure crypto
- Code Smells: Complex methods, duplicated code, naming issues
- Security Hotspots: Areas requiring security review
- Coverage: Lines/branches not covered by tests
Expected Results for jcommons
Given current quality:
- Maintainability: Likely A rating (very clean code)
- Reliability: Likely A rating (100% test coverage)
- Security: Likely A or B (deprecated serialization methods)
- Coverage: 100% (already achieved)
Cost
- Free for open source projects
- Unlimited analysis runs
Files to Modify
.github/workflows/main.yml (add SonarCloud step)pom.xml (add SonarCloud plugin)README.md (add badges)
Priority
Low-Medium - Nice to have for quality visibility
Alternative: CodeQL
If you prefer GitHub-native scanning:
- Enable CodeQL in Security tab
- GitHub-native, no external service
- Good for security scanning
- Less detailed than SonarCloud for code quality
References
Description
Integrate SonarCloud for continuous code quality and security analysis with detailed reports and quality gates.
Benefits
Setup Steps
1. Enable SonarCloud
FlossWare/jcommons2. Add Secrets
Add to GitHub repository secrets:
SONAR_TOKEN- Get from SonarCloud dashboard3. Update GitHub Actions Workflow
Add to
.github/workflows/main.yml:4. Add Maven Plugin
Add to
pom.xml:Quality Gate Configuration
Recommended settings in SonarCloud:
Badge for README
Add to README.md:
What SonarCloud Will Detect
Examples of issues it finds:
Expected Results for jcommons
Given current quality:
Cost
Files to Modify
.github/workflows/main.yml(add SonarCloud step)pom.xml(add SonarCloud plugin)README.md(add badges)Priority
Low-Medium - Nice to have for quality visibility
Alternative: CodeQL
If you prefer GitHub-native scanning:
References