Skip to content

Integrate gitStream with SonarCloud

Included with gitStream Core Functionality

This integration is part of gitStream core functionality, and requires no additional configuration.

SonarCloud Examples:

Approve Sonar Clean Code

Approve PRs that pass SonarCloud's quality gate.

Aprove Sonar Clean Code

Configuration Description

Conditions (all must be true):

  • SonarCloud reports an 'A' rating for vulnerabilities, bugs, security hotspots, and code smells.
  • There is no duplicated code.

Automation Actions:

  • Apply a Sonar: Clean Code label to the PR.
  • Approve the PR.
  • Post a comment that explains why the PR was approved.

Aprove Sonar Clean Code

# -*- mode: yaml -*-

manifest:
  version: 1.0
automations:
  approve_sonar_clean_code:
    if:
      - {{ sonar.bugs.rating == 'A' }}
      - {{ sonar.code_smells.rating == 'A' }}
      - {{ sonar.vulnerabilities.rating == 'A' }}
      - {{ sonar.security_hotspots.rating == 'A' }}
      - {{ sonar.duplications == null or sonar.duplications == 0 }}
    run: 
      - action: add-label@v1
        args:
          label: '✅ Sonar: Clean Code'
          color: {{ colors.green }}
      - action: approve@v1
      - action: add-comment@v1
        args:
          comment: |
            This PR passes the SonarCloud quality gate check and as been automatically approved.

sonar: {{ pr | extractSonarFindings }}

colors:
  green: '0e8a16'
Download this example as a CM file.

Label SonarCloud Quality Reports

Label the number of bugs, vulnerabilities, security hotspots, and code smells reported by SonarCloud.

Label SonarCloud Quality Reports

Configuration Description

Conditions (all must be true):

  • There is at least one vulnerability, code smell, security hotspot, or bug reported by SonarCloud. Uses the extractSonarFindings filter function

Automation Actions:

  • Apply color-coded labels to indicate the number of vulnerabilities, code smells, security hotspots, and bugs.

Label SonarCloud Quality Reports

# -*- mode: yaml -*-

manifest:
  version: 1.0

automations:
  {% for item in reports %}
  label_sonar_{{ item.name }}:
    if:
      - {{ item.count > 0}}
    run:
      - action: add-label@v1
        args:
          label: '{{ item.icon }} x {{ item.count }} {{ item.name }}'
          color: {{ colors.red if (item.rating == 'E' or item.rating == 'D') else (colors.orange if (item.rating == 'C' ) else colors.yellow) }}
  {% endfor %}

sonar: {{ pr | extractSonarFindings }}

reports:
  - name: vulnerabilities
    count: {{ sonar.vulnerabilities.count }}
    icon: 🔓
    rating: {{ sonar.vulnerabilities.rating }}
  - name: code smells
    count: {{ sonar.code_smells.count }}
    icon: ☣️
    rating: {{ sonar.code_smells.rating }}
  - name: security hotspots
    count: {{ sonar.security_hotspots.count }}
    icon: 🛡️
    rating: {{ sonar.security_hotspots.rating }}
  - name: bugs
    count: {{ sonar.bugs.count }}
    icon: 🪲
    rating: {{ sonar.bugs.rating }}

colors:
  red: 'b60205'
  orange: 'd93f0b'
  yellow: 'fbca04'
Download this example as a CM file.

Review Sonar Duplications

Request changes when Sonar reports an excessive level of duplicated code.

Review Sonar Duplications

Configuration Description

Conditions (all must be true):

  • The PR contains more than 3% duplicated code.

Automation Actions:

  • Apply a label that indicates how much duplicated code Sonar detected.
  • Request changes and post a comment explaining why.

Review Sonar Duplications

# -*- mode: yaml -*-

manifest:
  version: 1.0
automations:
  review_sonar_duplications:
    if:
      - {{ sonar.duplications > 3 }}
    run: 
      - action: add-label@v1
        args:
          label: 'Sonar: {{ sonar.duplications}}% duplication'
          color: {{ colors.yellow }}
      - action: request-changes@v1
        args:
          comment: |
            Sonar reports an excessive level of code duplication. Please consider refactoring your PR to reduce duplications.

sonar: {{ pr | extractSonarFindings }}

colors:
  yellow: 'fbca04'
Download this example as a CM file.

Review Sonar Security Alerts

Require additional reviews for Sonar security alerts. gitStream will remove this requirement if the alerts are resolved.

Review Sonar Security Alerts

Configuration Description

Conditions (all must be true):

  • The SonarCloud quality gate check fails to pass for code smells, vulnerabilities, or security hotspots.

Automation Actions:

  • Require a review from the my-organization/security-team team. Customize this to match your organization.
  • Post a comment explaining why this PR requires additional review.

Review Sonar Alerts

# -*- mode: yaml -*-

manifest:
  version: 1.0
automations:
  review_sonar_alerts:
      if:
        - {{ sonar.code_smells.rating != 'A' or sonar.vulnerabilities.rating != 'A' or sonar.security_hotspots.rating != 'A'}}
      run:
        - action: require-reviewers@v1
          args:
            reviewers: [my-organization/security-team]
        - action: add-comment@v1
          args:
            comment: |
              This PR requires additional review because it fails to meet SonarCloud clean code standards.

sonar: {{ pr | extractSonarFindings }}
Download this example as a CM file.