The following uses the SonarQube API to build an exportable report based on the items found within the scan. This works for both a hosted solution and a local copy.
Docker is the only tool that is needed for this to run.
Pull the latest docker image
docker pull devkteam/sonarqube-report:latestRunning the docker image can be as simple as running the following:
docker -it --rm \
-v $(pwd):/mnt/reports \
-e SONARQUBE_HOST="https://sonarcloud.io" \
-e SONARQUBE_USER="user" \
-e SONARQUBE_PASS="abc" \
-e SONARQUBE_PROJECTS="project_test" \
devkteam/sonarqube-report:latestWhen running the following to pull from Sonarcloud.io a Token will need to be created.
Because some of the APIs are different than the local setup, an organization id is required
for some of the endpoints. That can be passed in via the SONARQUBE_EXTRA_PARAMS variable.
docker run -it --rm \
-v $(pwd):/mnt/reports \
-e SONARQUBE_HOST="https://sonarcloud.io" \
-e SONARQUBE_USER="<TOKEN>" \
-e SONARQUBE_PASS="" \
-e SONARQUBE_PROJECTS="<PROJECT_ID>" \
-e SONARQUBE_EXTRA_PARAMS='{"global":{"organization":"<ORGANIZATION ID>"}}' \
devkteam/sonarqube-report:latest
Environment variables can be used by either exporting them, or by using a .env file.
| Variable | Default | Description |
|---|---|---|
| USERNAME | admin | Username used for logging into SonarQube Service |
| PASSWORD | password | Password used for logging into SonarQube Service |
| HOST | http://127.0.0.1:9000 | Hostname to communicate with SonarQube from the host machine |
| SERVICE_NAME | sonarqube | When setting up locally what is the name of the service/container to use. |
| MAX_TRIES | 3 | How many attempts should be made before everything fails |
| SLEEPTIME | 90 | How long should the requests wait before they check again. Used when setting up SonarQube locally. |
| SONARQUBE_SERVICE_IMAGE | sonarqube:9-community | SonarQube Docker image to use for local setup |
| PROJECT_DIRECTORY | (current directory) | Location to run the scan from |
| PROJECT_NAME | (current directory) | Name of the project to create in SonarQube service |
| PROJECT_KEY | (uses project name) | Project key within SonarQube service to pull data for |
| SONARQUBE_CLI_REMOTE_HOST | http://sonarqube:9000 | Remote host to use for sending code scan |
| SONARQUBE_CLI_IMAGE | sonarsource/sonar-scanner-cli:latest | Image name to use for running |
| SONARQUBE_REPORT_IMAGE | devkteam/sonarqube-report:latest | Docker image name to use for generating the report |
| CLEANUP | (blank) | If set will delete and remove all services after running |
| LOG_FILE | /tmp/sonarqube.log | Where should all output be sent to for reviewing |
| SONARQUBE_EXTRA_PARAMS | (blank) | JSON Structure where key is the endpoint. Additionally key 'global' is used for all requests. |
Clone the source code
git clone git@github.com:kanopi/security-reports security-reports
cd security-reportsRun Composer Install
composer installCreate the .env file. Use this to modify any environment variables that should
point to your SonarQube instance.
cp .env.dist .envRun the run.php script
./run.phpTo build the image from source.
make buildIncluded as part of this is the full process of setting up a local instance of SonarQube and running the scanner on the current codebase.
bash <(curl -fsSL https://raw.githubusercontent.com/kanopi/security-reports/main/run.sh) runThe following generates a report using GoAccess. The following will generate an HTML report.
Docker is the only tool that is needed for this to run.
SITE_UUID=1a5b3e19-01af-4f19-ad34-abe5489370d0 bash <(curl -fsSL https://raw.githubusercontent.com/kanopi/security-reports/main/collect-logs.sh)