feat: SonarCloud + CodeQL upgrade

[kienbui1995]

Code Scanning Setup

SonarCloud (NEW)

• Coverage report via cargo-tarpaulin
• Clippy report integration
• Quality gate enforcement
• Runs on push + PRs

Setup required:

1. Go to sonarcloud.io → Import kienbui1995/mc-code
2. Copy the SONAR_TOKEN
3. Add to repo: Settings → Secrets → SONAR_TOKEN

CodeQL (UPGRADED)

• Added security-and-quality query suite (more thorough)
• Category tagging for dashboard

Full scanning stack

Tool	What it checks
CodeQL	SAST — vulnerabilities, code quality
SonarCloud	Bugs, code smells, coverage, duplication
cargo-audit	Known CVEs in dependencies
cargo-deny	License compliance, supply chain
dependency-review	New dep risk on PRs
Secret scanning	Leaked credentials

274 tests, 0 fail.

Summary by CodeRabbit

Release Notes

• Chores
  • Added SonarCloud integration for continuous code quality monitoring with automated test coverage analysis and reporting
  • Enhanced CodeQL security scanning workflow with improved configuration for Rust language analysis and quality gate validation

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes introduce code quality and security scanning infrastructure by updating the CodeQL workflow with Rust-specific analysis configuration, adding a new SonarCloud integration workflow that performs coverage analysis and quality gate checks, and configuring the SonarQube project settings for comprehensive code scanning.

Changes

Cohort / File(s)	Summary
CodeQL Analysis Enhancement .github/workflows/codeql.yml	Moved permissions to workflow-level, renamed job to CodeQL Analysis, configured init step with queries: security-and-quality, and added category: "/language:rust" to the analyze step for Rust-specific scanning.
SonarCloud Integration .github/workflows/sonarcloud.yml, sonar-project.properties	Added new SonarCloud workflow triggered on push and pull requests to main, configured with Rust toolchain, tarpaulin coverage reporting, and Clippy static analysis integration; added project configuration specifying source directories, test scope, exclusions, and quality gate enforcement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: security & quality CI — audit, deny, dependency review #62: Modifies the CodeQL GitHub Actions workflow configuration alongside similar security scanning setup enhancements.

Poem

🐰 A rabbit hops through code so bright,
With SonarCloud and CodeQL's light,
Quality gates and Clippy's keen eye,
Help our Rust projects soar up high! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides context for SonarCloud setup, CodeQL upgrades, and the full scanning stack, but diverges from the template structure and omits required sections like explicit 'How' implementation details and testing checklist items.	Restructure the description to follow the template: add 'What', 'Why', 'How' sections and include the checklist with test verification status for cargo fmt, cargo test, and cargo clippy.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: SonarCloud + CodeQL upgrade' clearly and specifically summarizes the main changes: adding SonarCloud integration and upgrading CodeQL configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/sonarcloud-codeql

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a sonar-project.properties configuration file to integrate SonarCloud analysis into the project. The review feedback highlights several configuration issues: the properties for Rust coverage and Clippy reports are not supported by the official SonarCloud analyzer and should be replaced with generic report paths. Furthermore, it is recommended to remove the redundant sonar.tests definition to avoid overlapping with sonar.sources, relying instead on the inclusion patterns.

[gemini-code-assist]

The property sonar.rust.tarpaulin.reportPaths is not supported by the official SonarCloud Rust analyzer, as it belongs to a community plugin not available on the hosted service. To import coverage, you should use sonar.coverageReportPaths. Note that SonarCloud requires the report to be in the Generic Test Data XML format; you will likely need to convert your cobertura.xml (e.g., using a tool like cargo-sonar) before the scan.

sonar.coverageReportPaths=coverage-sonar.xml

[gemini-code-assist]

The property sonar.rust.clippy.reportPaths is not recognized by SonarCloud's official analyzer. To import Clippy issues, use sonar.externalIssuesReportPaths. This property expects the Generic Issue Import Format. You will need to add a step in your CI pipeline to convert Clippy's native JSON output into the format expected by SonarCloud.

sonar.externalIssuesReportPaths=clippy-sonar.json

[gemini-code-assist]

Setting sonar.tests to the same directory as sonar.sources creates an overlap that can lead to inconsistent analysis results in SonarCloud. When test files are located within the source tree, the recommended approach is to define the root in sonar.sources and use sonar.test.inclusions to identify the test files. SonarCloud will automatically move files matching the inclusion pattern from the source set to the test set.

sonar.test.inclusions=**/tests/**,**/*test*

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sonarcloud.yml:
- Around line 27-36: The workflow is suppressing failures for the "Run tests
with coverage" and "Run clippy for SonarCloud" steps; remove the tolerance so
SonarCloud gates fail when reports are missing or invalid by deleting the
continue-on-error: true from the "Run tests with coverage" step and removing the
"|| true" suffix from the "cargo clippy ... > ../clippy-report.json 2>&1 ||
true" command in the "Run clippy for SonarCloud" step; ensure the commands run
with fail-fast behavior (e.g., rely on shell default exit codes or add set -e at
top of run blocks) so tarpaulin and cargo clippy errors surface and cause the
job to fail when reports are invalid or missing.
- Line 38: Replace the vulnerable GitHub Action reference
SonarSource/sonarqube-scan-action@v5 with the patched release
SonarSource/sonarqube-scan-action@v6.0.0; locate the usage of
SonarSource/sonarqube-scan-action in the workflow (the line currently using `@v5`)
and update the version tag to `@v6.0.0` so the workflow uses the fixed action.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b8a2b41-4f76-4a4c-9f9d-d90c4627d954

📥 Commits

Reviewing files that changed from the base of the PR and between 8958210 and 48f0622.

📒 Files selected for processing (3)

• .github/workflows/codeql.yml
• .github/workflows/sonarcloud.yml
• sonar-project.properties

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Stop suppressing coverage/clippy failures in a gate-enforced workflow.

Line 31 (continue-on-error: true) and Line 35 (|| true) can produce “successful” scans with missing or invalid reports, weakening the intended quality gate.

✅ Suggested fail-fast pattern

       - name: Run tests with coverage
         run: |
+          set -euo pipefail
           cargo install cargo-tarpaulin --locked
           cargo tarpaulin --workspace --skip-clean --out xml --output-dir ../
-        continue-on-error: true
+          test -s ../cobertura.xml

       - name: Run clippy for SonarCloud
         run: |
-          cargo clippy --workspace --all-targets --message-format=json > ../clippy-report.json 2>&1 || true
+          set -euo pipefail
+          cargo clippy --workspace --all-targets --message-format=json > ../clippy-report.json 2>&1
+          test -s ../clippy-report.json

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarcloud.yml around lines 27 - 36, The workflow is
suppressing failures for the "Run tests with coverage" and "Run clippy for
SonarCloud" steps; remove the tolerance so SonarCloud gates fail when reports
are missing or invalid by deleting the continue-on-error: true from the "Run
tests with coverage" step and removing the "|| true" suffix from the "cargo
clippy ... > ../clippy-report.json 2>&1 || true" command in the "Run clippy for
SonarCloud" step; ensure the commands run with fail-fast behavior (e.g., rely on
shell default exit codes or add set -e at top of run blocks) so tarpaulin and
cargo clippy errors surface and cause the job to fail when reports are invalid
or missing.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the first patched version for GHSA-5xq9-5g24-4g6f in SonarSource/sonarqube-scan-action, and what exact tag/SHA should GitHub Actions pin to?

💡 Result:

The first patched version for GHSA-5xq9-5g24-4g6f in SonarSource/sonarqube-scan-action is v6.0.0. GitHub Actions should pin to the tag v6.0.0 (uses: SonarSource/sonarqube-scan-action@v6.0.0). For extra security, pin to the commit SHA of the release tag, though the full SHA is not directly listed in search results; the tag is stable and recommended in official docs.

Citations:

• 1: GHSA-5xq9-5g24-4g6f
• 2: https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0
• 3: https://github.com/SonarSource/sonarqube-scan-action/releases

---

Upgrade vulnerable Sonar scan action to v6.0.0 immediately.

Line 38 uses SonarSource/sonarqube-scan-action@v5, which is affected by GHSA-5xq9-5g24-4g6f (high severity). Upgrade to v6.0.0, the first patched release.

Suggested change

-      - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@v5
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarqube-scan-action@v6.0.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sonarcloud.yml at line 38, Replace the vulnerable GitHub
Action reference SonarSource/sonarqube-scan-action@v5 with the patched release
SonarSource/sonarqube-scan-action@v6.0.0; locate the usage of
SonarSource/sonarqube-scan-action in the workflow (the line currently using `@v5`)
and update the version tag to `@v6.0.0` so the workflow uses the fixed action.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud