A reusable GitHub Action for running SonarCloud analysis on .NET applications by wrapping a build with SonarScanner.
This action provides a consistent way to integrate SonarCloud analysis into .NET pipelines without duplicating configuration.
It:
build-command: Command used to build the application. Executed between SonarScanner begin and end steps.coverage-report-path: Path to a Sonar-compatible coverage report (e.g. SonarQube.xml)coverage-exclusions: Comma-separated list of coverage exclusion patternsdotnet-version: .NET SDK version used when not using global.jsondotnet-tool-restore: Runs dotnet tool restore when truejava-distribution: Java distribution used by SonarScanner (e.g. zulu, temurin, microsoft) (Default: zulu)java-version: Java version used by SonarScannersonarcloud-project-key: SonarCloud project keysonarcloud-organisation: SonarCloud organisation (Default: dfe-digital)sonarcloud-token: SonarCloud authentication tokensonarcloud-url: SonarCloud server URLsonarscan-args: Additional SonarScanner arguments (e.g. /d:sonar.*)use-global-json: Uses global.json to select the SDKAdd the action as a step in your workflow:
- name: SonarCloud scan
uses: DFE-Digital/github-actions/sonarscan-dotnet@main
with:
sonarcloud-project-key: your_project_key
sonarcloud-token: $
- name: Download merged coverage
uses: actions/download-artifact@v4
with:
name: coverage
path: coverage-reports
- name: SonarCloud scan
uses: DFE-Digital/github-actions/sonarscan-dotnet@main
with:
sonarcloud-project-key: your_project_key
sonarcloud-token: $
coverage-report-path: coverage-reports/SonarQube.xml
- name: SonarCloud scan
uses: DFE-Digital/github-actions/sonarscan-dotnet@main
with:
sonarcloud-project-key: your_project_key
sonarcloud-token: $
use-global-json: true
If use-global-json is true, a global.json file must exist in the repository.
with:
build-command: dotnet build YourSolution.sln --no-restore --no-incremental
SonarCloud analysis requires a valid SONAR_TOKEN to publish results.
Dependabot pull requests do not have access to repository secrets by default. This means:
SONAR_TOKENControl execution in the calling workflow to avoid running the scan when secrets are not available:
```yaml