'Why does SonarCloud show that everything is fine?

I'm working on a c# .net6 project and I'm trying to integrate SonarCloud using GitHub Actions. I have a build and sonarcloud workflow that looks like this:

name: .NET

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build:

    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup .NET
        uses: actions/setup-dotnet@v1
        with:
          dotnet-version: 6.0.x
      - name: Restore dependencies
        run: dotnet restore
        working-directory: Backend
      - name: Build
        run: dotnet build --no-restore
        working-directory: Backend
      - name: Test
        run: dotnet test --no-build --verbosity normal
        working-directory: Backend
  sonarcloud:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          # Disabling shallow clone is recommended for improving relevancy of reporting
          fetch-depth: 0
      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

The build works fine and the tests are passing but sonarcloud is always showing no issue despite writing some code smells and duplications on purpose to see if it works. Image

I see that sonarcloud is seeing all of my code so that shouldn't be a problem. I have a sonar-project.properties file and an analysis is running every time there is either a push or a pull request so I guess the setup is good but I don't get why it doesn't report any issue, either code smells or duplicate code. Are there any more setups I should've made?

c++sharp.netsonarcloud


Solution 1:[1]

At SonarSource it states to not use the action if

You want to analyze a .NET solution

But instead:

Follow our interactive tutorial for Github Actions after importing your project directly in SonarCloud

That's probably because you have to call dotnet-sonarscanner begin before executing dotnet test and finish the analysis by invoking dotnet-sonarscanner end.

BTW: This also introduces a problem if you want to analyse PRs from a fork, since secrets are not passed to such PRs and using other triggers introduces high security risks. (see github-actions-preventing-pwn-requests)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 AlexS

Related Questions