This project is no longer maintained as SonarQube consider hadolint as an external analyzer, also, hadolint can generate an output readable by sonarqube. Feel free to fork this project and adapt plugin to your needs if necessary. Code is available as-is: we do not give any support for this project anymore.
Please refer to the hadolint documentation and the sonarqube documentation about external analyzer if needed.
SonarQube plugin for the Dockerfile analysis tool Hadolint.
SonarQube is an open platform to manage code quality. This plugin adds the ability to import pre-existing results of Hadolint in checkstyle format only.
This plugin is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.
You can get Hadolint on GitHub.
As Hadolint uses ShellCheck to lint bash code in Dockerfiles, this plugin is inspired by the Shellcheck SonarQube Plugin.
SonarQube plugins can automatically identified whether they should run, thanks to the file extension.
For example, a java plugin can easily identify the files it should analyze, with the .java extension.
We can't use this behaviour for Dockerfiles to know if the plugin should run, because they have no standardized extension.
There is no way SonarQube can automatically recognize a Dockerfile without declaring an extension inside the plugin.
However, the solution we found is to explicitly give the Sonar Scanner some patterns to find Dockerfiles, when starting an analysis.
This way, the plugin will only run if the patterns match at least one file, and Dockerfiles can be fully analyzed.
More details regarding properties are available in the dedicated section below.
The plugin creates a Dockerfile language inside SonarQube, linked to Hadolint rules.
For identified Dockerfiles in your projects, the plugin calculates two metrics : number of comments, and number of lines of code.
It also provides a basic text highlighting when you check the code on SonarQube web interface.
- Setup a SonarQube instance.
- Install Hadolint command line tool.
- Download plugin JAR file from GitHub Releases page, or build it (see dedicated section below)
- Install
sonar-hadolint-plugin-*.jarin<SONARQUBE_HOME>/extensions/plugins/. - Run Hadolint to produce a report in checkstyle format
- For exemple :
hadolint -f checkstyle Dockerfile > hadolint-report.xml
- For exemple :
- Set the appropriate plugin properties in your sonar-project.properties.
- Run an analysis with sonar-scanner, maven, gradle, msbuild, etc.
For now, the plugin is not able to run Hadolint automatically, you have to handle this by yourself.
Go to the project page to find indications : https://github.com/hadolint/hadolint
Be sure to generate reports in checkstyle format ! It is the only one the plugin supports.
sonar.lang.patterns.dockerfile:- Comma separated list of patterns matching Dockerfiles inside your project.
- /!\ Those patterns must match Dockerfiles only ! You will have issues if they match another analyzed language.
- Default:
Dockerfile. - Example:
**/Dockerfile,subdir/Dockerfile-example
sonar.hadolint.reports.path:- Comma separated list of path to Hadolint reports in checkstyle format. You can use wildcards.
- Default:
hadolint-report.xml. - Example :
**/hadolint-report.xml
These properties can be defined in a sonar-project.properties files, or as command line arguments when you start the Sonar Scanner :
sonar-scanner -Dsonar.lang.patterns.dockerfile=Dockerfile,some-dir/Dockerfile.* -Dsonar.hadolint.reports.path=results/report.xml
| plugin version | hadolint version | supported SonarQube version |
|---|---|---|
| 1.0.0 | 1.18.x | 7.9 -> 8.4 |
| 1.1.0 | 2.6.1 | 8.9.x |
If you want to build the plugin :
- download the project code from GitHub
- open a terminal at the project's root
- simply use the following Maven command :
mvn clean package - plugin JAR file will then be available inside the target/ directory
If you experienced a problem with the plugin please open an issue. Inside this issue please explain us how to reproduce this issue and paste the log.
If you want to do a PR, please put inside of it the reason of this pull request. If this pull request fix an issue please insert the number of the issue or explain inside of the PR how to reproduce this issue.
All details are available in CONTRIBUTING.
Bugs and Feature requests: https://github.com/cnescatlab/sonar-hadolint-plugin/issues
Licensed under the GNU General Public License, Version 3.0
