Perform static analysis
2024-05-28 | đ 741 words | â± 8 mins | đ§Ÿ History | â Ross Buggins | đ Ross Buggins
Perform static analysis
Known Issues / Todo
- â This page is draft and is subject to rapid change, and may not be fully accurate or complete
Guide: Perform static analysis
Overview
Static code analysis is an essential part of modern software development. It provides automatic checks on your codebase to identify potential bugs, code smells, security vulnerabilities, and maintainability issues.
SonarCloud, an online service for continuous code quality inspection and static analysis, can be easily integrated with a GitHub repository. This repository template includes all the necessary setup for minimal configuration on your part, facilitating smooth integration with this SaaS offering.
Key files
- perform-static-analysis.sh: A shell script that performs analysis
- sonar-scanner.properties: A configuration file that includes the project details
- perform-static-analysis/action.yaml: GitHub action to run the script as part of the CI/CD pipeline
- .gitignore: Excludes the
.scannerwork
temporary directory created during the process
Setup
Contact the GitHub Admins via their mailbox to have your SonarCloud access set up.
Testing
You can run and test static analysis locally on a developerâs workstation using the following command
export SONAR_ORGANISATION_KEY=nhs-england-tools # Replace with your organisation key
export SONAR_PROJECT_KEY=repository-template # Replace with your project key
export SONAR_TOKEN=[replace-with-your-sonar-token]
./scripts/reports/perform-static-analysis.sh
Configuration checklist
[!WARNING]
This section is to be used by the GitHub Admins.
The list demonstrates the manual way of configuring a project, however our aim is to automate all the activities below.
- Create a Sonar project within the organisation space:
- Navigate to
+ > Analyze new project > create a project manually
- Choose the appropriate organisation
- Set âDisplay nameâ
- Set âProject keyâ (it should be populated automatically)
- Set project visibility to âPublicâ
- After clicking the âNextâ button, set âThe new code for this project will be based onâ to âPrevious versionâ
- Click âCreate projectâ
- Navigate to
- Add two new groups under
Administration > Groups
:[Programme Name]
, all members of the project[Programme Name] Admins
, who will the projectâs quality gates and quality profiles
- Assign members to the above groups accordingly
- Set group permissions under
Administration > Permissions
:- For the
[Programme Name] Admins
group, assign:- âQuality Gatesâ
- âQuality Profilesâ
- For the
- Manage project permissions, navigate to
Administration > Projects Management
and select the project you created- Click on
Edit Permissions
- Search for
[Programme Name] Admins
group and assign the following:- âAdminister Issuesâ
- âAdminister Security Hotspotsâ
- âAdministerâ
- Ensure that other groups do not have unnecessary permissions to administer this project
- Click on
- Navigate to project
Administration > Analysis Method > Manually
and selectOther (for JS, TS, Go, Python, PHP, ...)
- In the sonar-scanner.properties file in your repository, set the following properties according to the information provided above
- Set
sonar.[language].[coverage-tool].reportPaths
to ensure the unit test coverage is reported back to Sonar - Do not set the
sonar.organization
andsonar.projectKey
properties in this file; do the next step instead
- Set
- Use the Sonar token owned by the âSonarCloud Token GitHub Adminsâ service user. There is an existing token named âScan allâ
[!NOTE]
For an advance configuration create a bot account for your service. For more details, please see this note. This account should be given access to your project and must own theSONAR_TOKEN
for security reasons.
- Follow the documentation on creating encrypted secrets to add the
SONAR_TOKEN
secret to your repository. The GitHub action is already configured to fetch that secret and pass it as a variable. In addition to that:- Add
SONAR_ORGANISATION_KEY
variable (not a secret) - Add
SONAR_PROJECT_KEY
variable (not a secret)
- Add
- Navigate to project
Administration > Analysis Method
and turn off theAutomatic Analysis
option - Please refrain from adding your repository to the GitHub SonarCloud App, as this app should not be used. Doing so will duplicate reports and initiate them outside the primary pipeline workflow
- Confirm that the âPerform static analysisâ GitHub action is part of your GitHub CI/CD workflow and enforces the âSonar Wayâ quality gates. You can find more information about this in the NHSE Software Engineering Quality Framework