Skip to content

sbaudoin/sonar-shellcheck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

93 Commits

.travis

.travis

 
 

it

it

 
 

src

src

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

ShellCheck SonarQube Plugin

Apache License, Version 2.0, January 2004 Maven Central Build Status Sonarcloud Status Sonarcloud Status

SonarQube plugin to analyze Shell scripts with ShellCheck.

Requirements

  • SonarQube 7.1+, 8.0+, 9.0+ (tested on 9.1)

  • On the machine that will audit the code:

Tested on Linux.

Installation

  1. Download the ShellCheck plugin
  2. Copy the plugin JAR file into the extensions/plugins directory of SonarQube and restart SonarQube
  3. Optional: create a new quality profile to enable some rules (by default, if you do not create a custom profile, all rules are enabled)
    1. Log in SonarQube
    2. Create a new quality profile for the Shell language and enable the ShellCheck rules (search with the tag "shell")
  4. Install ShellCheck and the Sonar scanner on a Linux machine. If needed, you can set the path to the shellcheck executable in the general settings of SonarQube.

Execution

  1. Prior to executing a code audit, you must create a file sonar-project.properties that will contain some details about your project (this is a requirement from the Sonar scanner):

    # must be unique in a given SonarQube instance
sonar.projectKey=com.mycompany:my-scripts
# this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1.
sonar.projectName=A Name
sonar.projectVersion=1.0-SNAPSHOT

# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
# This property is optional if sonar.modules is set.
sonar.sources=.

# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8

    You just have to do that once. Ideally, add this file along with your scripts in your preferred SCM.

  2. Run the Sonar scanner from the directory where you wrote the file sonar-project.properties:

     sonar-scanner

  3. Go to SonarQube and check the result

Subsequent scans will just required the last step to be executed. It can easily be integrated into a continuous integration pipeline.

Known issues

Plugin not compatible with the Sonar i-Code CNES plugin

The version 1.0.0 of this plugin appeared to be incompatible with the other Sonar i-Code CNES plugin that also scans Shell script. If you already have that plugin installed you cannot install and use this ShellCheck plugin (you will have to decide which plugin to run). The issue #1 has been filed to trace this incompatibility problem.

This problem was fixed in version 2.0.0. If you want to run both the Sonar i-Code CNES plugin and the ShellCheck plugin, you must set the following environment variable before starting SonarQube so that only the i-Code CNES Shell language is installed:

export SHELLCHECK_LANGUAGE_ADD=false

You can also set the property sonar.shell.addlanguage in the file SQ_install_dir/conf/sonar.properties :

sonar.shell.addlanguage=false

If both variables are defined, the environment variable takes precedence.

For SonarQube 8.0, only the configuration property is available due to a a known bug.

About

SonarQube plugin to analyze Shell scripts with ShellCheck

Resources

Readme

License

Apache-2.0 license
Activity

Stars

51 stars

Watchers

7 watching

Forks

10 forks
Report repository

Releases 8

v2.5.0 Latest
Nov 15, 2021
+ 7 releases

Contributors 3

  •  
  •  
  •  

Languages