feat: Add JaCoCo coverage and SonarCloud integration

.changeset/coverage-security-enhancements.md

@@ -0,0 +1,22 @@
+---
+"scopes": minor
+---
+
+Add comprehensive code coverage tracking, SonarCloud integration, and security enhancements
+
+### New Features
+- **JaCoCo Code Coverage**: Multi-module coverage aggregation with 60% minimum threshold
+- **SonarCloud Integration**: Automated quality gates and code analysis
+- **Gradle Dependency Verification**: Comprehensive SHA256 checksums for supply chain security
+
+### Security Improvements
+- Fixed all SonarCloud Code Analysis issues (hardcoded dispatchers, script injection, cognitive complexity)
+- Resolved Security Hotspots through dependency verification and GitHub Actions SHA pinning
+- Enhanced CI/CD security with proper permissions and environment variable usage
+
+### New Gradle Tasks
+- `testWithCoverage`: Run tests with coverage reports
+- `sonarqubeWithCoverage`: Complete quality analysis
+- `:coverage-report:testCodeCoverageReport`: Aggregated coverage reporting
+
+This release significantly improves code quality monitoring and security posture.

.changeset/jacoco-sonar-integration.md

@@ -0,0 +1,12 @@
+---
+"scopes": minor
+---
+
+Add JaCoCo code coverage and SonarCloud integration for continuous quality monitoring
+
+- Integrated JaCoCo plugin for code coverage measurement across all modules
+- Added coverage-report module for multi-module coverage aggregation
+- Configured SonarQube plugin for SonarCloud analysis
+- Created GitHub Actions workflow for automated quality checks
+- Added comprehensive documentation and Gradle tasks
+- Set up XML coverage reports for SonarCloud consumption

.github/workflows/release.yml

@@ -33,12 +33,16 @@ jobs:
       - name: Extract version from tag
         id: version
         shell: bash
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_TAG: ${{ inputs.tag }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION="${{ inputs.tag }}"
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            VERSION="$INPUT_TAG"
           else
-            VERSION="${{ github.ref_name }}"
+            VERSION="$REF_NAME"
           fi
           # Remove 'v' prefix for SemVer compatibility (v1.0.0 -> 1.0.0)
           CLEAN_VERSION=${VERSION#v}
@@ -114,7 +118,8 @@ jobs:
 
           # For manually triggered runs, ensure the tag exists on the remote
           # This prevents gh release create from accidentally creating a tag
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+          EVENT_NAME="${{ github.event_name }}"
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
             echo "Checking if tag exists on remote..."
 
             # Use GitHub API to check if tag exists
@@ -817,21 +822,21 @@ jobs:
           find sbom-artifacts -name "sbom-*.xml" -type f -exec gh release upload "${{ needs.resolve-version.outputs.tag_version }}" --clobber {} \;
 
           # Upload distribution packages
-          find distribution-packages -name "scopes-*-dist.tar.gz" -type f -exec gh release upload "${{ steps.version.outputs.tag_version }}" --clobber {} \;
-          find distribution-packages -name "scopes-*-dist.zip" -type f -exec gh release upload "${{ steps.version.outputs.tag_version }}" --clobber {} \;
-          find distribution-packages -name "scopes-*-dist.*.sha256" -type f -exec gh release upload "${{ steps.version.outputs.tag_version }}" --clobber {} \;
+          find distribution-packages -name "scopes-*-dist.tar.gz" -type f -exec gh release upload "${{ needs.resolve-version.outputs.tag_version }}" --clobber {} \;
+          find distribution-packages -name "scopes-*-dist.zip" -type f -exec gh release upload "${{ needs.resolve-version.outputs.tag_version }}" --clobber {} \;
+          find distribution-packages -name "scopes-*-dist.*.sha256" -type f -exec gh release upload "${{ needs.resolve-version.outputs.tag_version }}" --clobber {} \;
 
           # Upload SLSA provenance if available
           if [ -d "provenance" ] && [ -n "$(find provenance -name "*.intoto.jsonl" -type f)" ]; then
-            find provenance -name "*.intoto.jsonl" -type f -exec gh release upload "${{ steps.version.outputs.tag_version }}" --clobber {} \;
+            find provenance -name "*.intoto.jsonl" -type f -exec gh release upload "${{ needs.resolve-version.outputs.tag_version }}" --clobber {} \;
           fi
 
       - name: Enhance release notes with custom content
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Get the auto-generated release notes
-          AUTO_NOTES=$(gh release view "${{ steps.version.outputs.tag_version }}" --json body --jq '.body')
+          AUTO_NOTES=$(gh release view "${{ needs.resolve-version.outputs.tag_version }}" --json body --jq '.body')
 
           # Create the combined release notes
           cat > combined_notes.md << 'EOF'
@@ -843,19 +848,19 @@ jobs:
 
           #### Linux/macOS
           ```bash
-          curl -sSL https://raw.githubusercontent.com/kamiazya/scopes/${{ steps.version.outputs.tag_version }}/install/install.sh | sh
+          curl -sSL https://raw.githubusercontent.com/kamiazya/scopes/${{ needs.resolve-version.outputs.tag_version }}/install/install.sh | sh
           ```
 
           #### Windows PowerShell
           ```powershell
-          iwr https://raw.githubusercontent.com/kamiazya/scopes/${{ steps.version.outputs.tag_version }}/install/install.ps1 | iex
+          iwr https://raw.githubusercontent.com/kamiazya/scopes/${{ needs.resolve-version.outputs.tag_version }}/install/install.ps1 | iex
           ```
 
           ### 📦 Offline Installation
 
           For air-gapped environments or enterprise deployments, download the unified distribution package:
 
-          1. Download `scopes-${{ steps.version.outputs.version }}-dist.tar.gz` or `.zip`
+          1. Download `scopes-${{ needs.resolve-version.outputs.version }}-dist.tar.gz` or `.zip`
           2. Extract the package
           3. Run `./install.sh` (Unix) or `.\install.ps1` (Windows)
 
@@ -888,7 +893,7 @@ jobs:
           go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest
 
           # Verify the binary (example for Linux)
-          slsa-verifier verify-artifact scopes-${{ steps.version.outputs.version }}-linux-x64 \
+          slsa-verifier verify-artifact scopes-${{ needs.resolve-version.outputs.version }}-linux-x64 \
             --provenance-path multiple.intoto.jsonl \
             --source-uri github.com/${{ github.repository }}
           ```
@@ -920,4 +925,4 @@ jobs:
           echo "$AUTO_NOTES" >> combined_notes.md
 
           # Update the release with combined content
-          gh release edit "${{ steps.version.outputs.tag_version }}" --notes-file combined_notes.md
+          gh release edit "${{ needs.resolve-version.outputs.tag_version }}" --notes-file combined_notes.md

.github/workflows/security.yml

@@ -15,6 +15,8 @@ permissions:
   contents: write # Required for dependency graph submission
   actions: read
   id-token: write # Required for OIDC authentication
+  issues: write # Required for commenting on issues
+  pull-requests: write # Required for commenting on PRs
 
 jobs:
   dependency-check:

.github/workflows/test.yml

@@ -14,6 +14,7 @@ concurrency:
 permissions:
   contents: read
   actions: read
+  pull-requests: read  # Needed for SonarCloud PR analysis
 
 jobs:
   unit-test:
@@ -28,6 +29,8 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
 
     - name: Set up GraalVM
       uses: graalvm/setup-graalvm@e140024fdc2d95d3c7e10a636887a91090d29990 # v1.4.0
@@ -36,14 +39,47 @@ jobs:
         distribution: 'graalvm'
         github-token: ${{ secrets.GITHUB_TOKEN }}
 
+    - name: Cache SonarCloud packages
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      with:
+        path: ~/.sonar/cache
+        key: ${{ runner.os }}-sonar
+        restore-keys: ${{ runner.os }}-sonar
+
     - name: Setup Gradle
       uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         validate-wrappers: true
         cache-read-only: ${{ github.ref != 'refs/heads/main' }}
 
-    - name: Run tests
-      run: ./gradlew --no-daemon --scan test
+    - name: Run tests and generate coverage reports
+      run: ./gradlew --no-daemon test jacocoTestReport :quality-coverage-report:testCodeCoverageReport
+
+    - name: Run Detekt static analysis
+      run: ./gradlew --no-daemon detekt
+
+    - name: SonarCloud Analysis
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      run: |
+        if [ -n "$SONAR_TOKEN" ]; then
+          echo "Running SonarCloud analysis with coverage..."
+          ./gradlew --no-daemon sonar \
+            -Dsonar.coverage.jacoco.xmlReportPaths=quality/coverage-report/build/reports/jacoco/testCodeCoverageReport/testCodeCoverageReport.xml
+        else
+          echo "::warning::SONAR_TOKEN is not set. Skipping SonarCloud analysis."
+        fi
+
+    - name: Upload coverage reports
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      if: always()
+      with:
+        name: coverage-reports
+        path: |
+          **/build/reports/jacoco/
+          quality/coverage-report/build/reports/jacoco/
+        if-no-files-found: warn
 
     - name: Upload test results
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.gitignore

@@ -30,6 +30,11 @@ replay_pid*
 .gradle/
 build/
 
+# Gradle dependency verification temporary files
+gradle/verification-keyring.gpg
+gradle/verification-metadata.xml.backup
+settings-gradle.lockfile
+
 tmp/
 .claude/settings.local.json
 

build.gradle.kts

@@ -1,3 +1,7 @@
+import org.gradle.api.tasks.testing.Test
+import org.gradle.testing.jacoco.tasks.JacocoCoverageVerification
+import org.gradle.testing.jacoco.tasks.JacocoReport
+
 plugins {
     alias(libs.plugins.kotlin.jvm) apply false
     alias(libs.plugins.kotlin.serialization) apply false
@@ -8,6 +12,8 @@ plugins {
     alias(libs.plugins.spotless)
     alias(libs.plugins.cyclonedx.bom)
     alias(libs.plugins.spdx.sbom)
+    alias(libs.plugins.sonarqube)
+    jacoco
 }
 
 group = "io.github.kamiazya"
@@ -40,11 +46,63 @@ subprojects {
 
     // Configure Kotlin compilation when plugin is applied
     pluginManager.withPlugin("org.jetbrains.kotlin.jvm") {
+        // Apply JaCoCo to all modules with Kotlin code
+        apply(plugin = "jacoco")
+        // Apply SonarQube plugin to all Kotlin modules
+        apply(plugin = "org.sonarqube")
+
         tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
             compilerOptions {
                 jvmTarget.set(org.jetbrains.kotlin.gradle.dsl.JvmTarget.JVM_21)
             }
         }
+
+        // Configure JaCoCo
+        tasks.withType<JacocoReport> {
+            dependsOn(tasks.named("test"))
+            reports {
+                xml.required.set(true)
+                html.required.set(true)
+                csv.required.set(false)
+            }
+        }
+
+        // Configure test task to generate JaCoCo data
+        tasks.withType<Test> {
+            finalizedBy(tasks.withType<JacocoReport>())
+            useJUnitPlatform()
+            testLogging {
+                events("passed", "skipped", "failed")
+            }
+        }
+
+        // JaCoCo coverage verification
+        tasks.withType<JacocoCoverageVerification> {
+            violationRules {
+                rule {
+                    limit {
+                        minimum = "0.60".toBigDecimal()
+                    }
+                }
+            }
+        }
+
+        // Configure SonarQube for each module
+        sonarqube {
+            properties {
+                // Only set sources if the directory exists
+                if (file("src/main/kotlin").exists()) {
+                    property("sonar.sources", "src/main/kotlin")
+                    property("sonar.java.binaries", "build/classes/kotlin/main")
+                }
+                // Only set test sources if the directory exists
+                if (file("src/test/kotlin").exists()) {
+                    property("sonar.tests", "src/test/kotlin")
+                }
+                // Each module should report its own JaCoCo XML report path
+                property("sonar.coverage.jacoco.xmlReportPaths", "build/reports/jacoco/test/jacocoTestReport.xml")
+            }
+        }
     }
 
     // Fix circular dependency issue with Kotlin and Java compilation
@@ -81,6 +139,8 @@ subprojects {
 
 // Custom task to check if GraalVM is available
 tasks.register("checkGraalVM") {
+    description = "Check if GraalVM native-image is available in the current environment"
+    group = "verification"
     doLast {
         try {
             val isWindows = System.getProperty("os.name").lowercase().contains("windows")
@@ -147,6 +207,29 @@ tasks.register("konsistTest") {
     dependsOn(":quality-konsist:test")
 }
 
+// Task to run all tests with coverage
+tasks.register("testWithCoverage") {
+    description = "Run all tests and generate coverage reports"
+    group = "verification"
+
+    // Run all tests
+    subprojects.forEach { subproject ->
+        subproject.tasks.findByName("test")?.let {
+            dependsOn(it)
+        }
+    }
+
+    // Generate individual coverage reports
+    subprojects.forEach { subproject ->
+        subproject.tasks.findByName("jacocoTestReport")?.let {
+            dependsOn(it)
+        }
+    }
+
+    // Generate aggregated coverage report
+    finalizedBy(":quality-coverage-report:testCodeCoverageReport")
+}
+
 // Spotless configuration
 configure<com.diffplug.gradle.spotless.SpotlessExtension> {
     kotlin {
@@ -205,3 +288,30 @@ configure<com.diffplug.gradle.spotless.SpotlessExtension> {
         endWithNewline()
     }
 }
+
+// SonarQube configuration
+sonarqube {
+    properties {
+        property("sonar.projectKey", "kamiazya_scopes")
+        property("sonar.organization", "kamiazya")
+        property("sonar.host.url", "https://sonarcloud.io")
+        property("sonar.projectName", "Scopes")
+        property("sonar.projectVersion", version)
+
+        // Language settings
+        property("sonar.language", "kotlin")
+        property("sonar.kotlin.detekt.reportPaths", "**/build/reports/detekt/detekt.xml")
+
+        // Coverage configuration - use the aggregated report
+        property(
+            "sonar.coverage.jacoco.xmlReportPaths",
+            "quality/coverage-report/build/reports/jacoco/testCodeCoverageReport/testCodeCoverageReport.xml",
+        )
+
+        // Encoding
+        property("sonar.sourceEncoding", "UTF-8")
+
+        // Duplication detection
+        property("sonar.cpd.exclusions", "**/*Test.kt,**/*Spec.kt")
+    }
+}