SonarQube plugin to analyze Shell scripts with ShellCheck.
-
SonarQube 7.1+, 8.0+, 9.0+ (tested on 9.1)
-
On the machine that will audit the code:
- ShellCheck 0.4.0 minimum must be installed
- Sonar scanner configured to point to your Sonar server
Tested on Linux.
- Download the ShellCheck plugin
- Copy the plugin JAR file into the
extensions/plugins
directory of SonarQube and restart SonarQube - Optional: create a new quality profile to enable some rules (by default, if you do not create a custom profile, all rules are enabled)
- Log in SonarQube
- Create a new quality profile for the Shell language and enable the ShellCheck rules (search with the tag "shell")
- Install ShellCheck and the Sonar scanner on a Linux machine. If needed, you can set the path to the
shellcheck
executable in the general settings of SonarQube.
-
Prior to executing a code audit, you must create a file
sonar-project.properties
that will contain some details about your project (this is a requirement from the Sonar scanner):# must be unique in a given SonarQube instance sonar.projectKey=com.mycompany:my-scripts # this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1. sonar.projectName=A Name sonar.projectVersion=1.0-SNAPSHOT # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. # This property is optional if sonar.modules is set. sonar.sources=. # Encoding of the source code. Default is default system encoding #sonar.sourceEncoding=UTF-8
You just have to do that once. Ideally, add this file along with your scripts in your preferred SCM.
-
Run the Sonar scanner from the directory where you wrote the file
sonar-project.properties
:sonar-scanner
-
Go to SonarQube and check the result
Subsequent scans will just required the last step to be executed. It can easily be integrated into a continuous integration pipeline.
The version 1.0.0 of this plugin appeared to be incompatible with the other Sonar i-Code CNES plugin that also scans Shell script. If you already have that plugin installed you cannot install and use this ShellCheck plugin (you will have to decide which plugin to run). The issue #1 has been filed to trace this incompatibility problem.
This problem was fixed in version 2.0.0. If you want to run both the Sonar i-Code CNES plugin and the ShellCheck plugin, you must set the following environment variable before starting SonarQube so that only the i-Code CNES Shell language is installed:
export SHELLCHECK_LANGUAGE_ADD=false
You can also set the property sonar.shell.addlanguage
in the file SQ_install_dir/conf/sonar.properties
:
sonar.shell.addlanguage=false
If both variables are defined, the environment variable takes precedence.
For SonarQube 8.0, only the configuration property is available due to a a known bug.