The following uses the SonarQube API to build an exportable report based on the items found within the scan. This works for both a hosted solution and a local copy.
Docker is the only tool that is needed for this to run.
Pull the latest docker image
docker pull devkteam/sonarqube-report:latest
Running the docker image can be as simple as running the following:
docker -it --rm \
-v $(pwd):/mnt/reports \
-e SONARQUBE_HOST="https://sonarcloud.io" \
-e SONARQUBE_USER="user" \
-e SONARQUBE_PASS="abc" \
-e SONARQUBE_PROJECTS="project_test" \
devkteam/sonarqube-report:latest
When running the following to pull from Sonarcloud.io a Token will need to be created.
Because some of the APIs are different than the local setup, an organization id is required
for some of the endpoints. That can be passed in via the SONARQUBE_EXTRA_PARAMS
variable.
docker pull devkteam/sonarqube-report:latest
export PROJECTID=<PROJECT_ID>
export SCTOKEN=<TOKEN>
docker run -it --rm \
-v $(pwd):/mnt/reports \
-e SONARQUBE_HOST="https://sonarcloud.io" \
-e SONARQUBE_USER="$SCTOKEN" \
-e SONARQUBE_PASS="" \
-e SONARQUBE_PROJECTS="$PROJECTID" \
-e SONARQUBE_EXTRA_PARAMS='{"global":{"organization":"<ORGANIZATION ID>"}}' \
devkteam/sonarqube-report:latest
Environment variables can be used by either exporting them, or by using a .env
file.
Variable | Default | Description |
---|---|---|
USERNAME | admin | Username used for logging into SonarQube Service |
PASSWORD | password | Password used for logging into SonarQube Service |
HOST | http://127.0.0.1:9000 | Hostname to communicate with SonarQube from the host machine |
SERVICE_NAME | sonarqube | When setting up locally what is the name of the service/container to use. |
MAX_TRIES | 3 | How many attempts should be made before everything fails |
SLEEPTIME | 90 | How long should the requests wait before they check again. Used when setting up SonarQube locally. |
SONARQUBE_SERVICE_IMAGE | sonarqube:9-community | SonarQube Docker image to use for local setup |
PROJECT_DIRECTORY | (current directory) | Location to run the scan from |
PROJECT_NAME | (current directory) | Name of the project to create in SonarQube service |
PROJECT_KEY | (uses project name) | Project key within SonarQube service to pull data for |
SONARQUBE_CLI_REMOTE_HOST | http://sonarqube:9000 | Remote host to use for sending code scan |
SONARQUBE_CLI_IMAGE | sonarsource/sonar-scanner-cli:latest | Image name to use for running |
SONARQUBE_REPORT_IMAGE | devkteam/sonarqube-report:latest | Docker image name to use for generating the report |
CLEANUP | (blank) | If set will delete and remove all services after running |
LOG_FILE | /tmp/sonarqube.log | Where should all output be sent to for reviewing |
SONARQUBE_EXTRA_PARAMS | (blank) | JSON Structure where key is the endpoint. Additionally key 'global' is used for all requests. |
Clone the source code
git clone git@github.com:kanopi/security-reports security-reports
cd security-reports
Run Composer Install
composer install
Create the .env
file. Use this to modify any environment variables that should
point to your SonarQube instance.
cp .env.dist .env
Run the run.php
script
./run.php
To build the image from source.
make build
Included as part of this is the full process of setting up a local instance of SonarQube and running the scanner on the current codebase.
bash <(curl -fsSL https://raw.githubusercontent.com/kanopi/security-reports/main/run.sh) run
The following generates a report using GoAccess. The following will generate an HTML report.
Docker is the only tool that is needed for this to run.
SITE_UUID=1a5b3e19-01af-4f19-ad34-abe5489370d0 bash <(curl -fsSL https://raw.githubusercontent.com/kanopi/security-reports/main/collect-logs.sh)