Skip to content

sbaudoin/sonar-shellcheck

master
Switch branches/tags
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Nov 22, 2018
Nov 22, 2018
Nov 22, 2018
Nov 15, 2021

ShellCheck SonarQube Plugin

Apache License, Version 2.0, January 2004 Maven Central Build Status Sonarcloud Status Sonarcloud Status

SonarQube plugin to analyze Shell scripts with ShellCheck.

Requirements

  • SonarQube 7.1+, 8.0+, 9.0+ (tested on 9.1)

  • On the machine that will audit the code:

Tested on Linux.

Installation

  1. Download the ShellCheck plugin
  2. Copy the plugin JAR file into the extensions/plugins directory of SonarQube and restart SonarQube
  3. Optional: create a new quality profile to enable some rules (by default, if you do not create a custom profile, all rules are enabled)
    1. Log in SonarQube
    2. Create a new quality profile for the Shell language and enable the ShellCheck rules (search with the tag "shell")
  4. Install ShellCheck and the Sonar scanner on a Linux machine. If needed, you can set the path to the shellcheck executable in the general settings of SonarQube.

Execution

  1. Prior to executing a code audit, you must create a file sonar-project.properties that will contain some details about your project (this is a requirement from the Sonar scanner):

    # must be unique in a given SonarQube instance
    sonar.projectKey=com.mycompany:my-scripts
    # this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1.
    sonar.projectName=A Name
    sonar.projectVersion=1.0-SNAPSHOT
    
    # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
    # This property is optional if sonar.modules is set.
    sonar.sources=.
    
    # Encoding of the source code. Default is default system encoding
    #sonar.sourceEncoding=UTF-8

    You just have to do that once. Ideally, add this file along with your scripts in your preferred SCM.

  2. Run the Sonar scanner from the directory where you wrote the file sonar-project.properties:

     sonar-scanner
    
  3. Go to SonarQube and check the result

Subsequent scans will just required the last step to be executed. It can easily be integrated into a continuous integration pipeline.

Known issues

Plugin not compatible with the Sonar i-Code CNES plugin

The version 1.0.0 of this plugin appeared to be incompatible with the other Sonar i-Code CNES plugin that also scans Shell script. If you already have that plugin installed you cannot install and use this ShellCheck plugin (you will have to decide which plugin to run). The issue #1 has been filed to trace this incompatibility problem.

This problem was fixed in version 2.0.0. If you want to run both the Sonar i-Code CNES plugin and the ShellCheck plugin, you must set the following environment variable before starting SonarQube so that only the i-Code CNES Shell language is installed:

export SHELLCHECK_LANGUAGE_ADD=false

You can also set the property sonar.shell.addlanguage in the file SQ_install_dir/conf/sonar.properties :

sonar.shell.addlanguage=false

If both variables are defined, the environment variable takes precedence.

For SonarQube 8.0, only the configuration property is available due to a a known bug.

About

SonarQube plugin to analyze Shell scripts with ShellCheck

Resources

License

Stars

Watchers

Forks