I just noticed that we already spent an hour and that's why I was trying to be a bit faster. Okay, so we have here, so we added so far two files. Built.yaml, which is the Configuration of GitHub Action and Sonra Project Properties. That's properties for the analysis. There is nothing fancy here. Project Key, Organization Key, that's what we already saw with you on Sonra Insight, Project Version. It's not required, but that will be useful for us a bit in the next step and link to the, not link, the relative path to the reports. So of course this relative path should be there during the CI step, not on YOLO call.
So as soon as you have, if you are ready with these two files, you can commit it to the master. Set up Sonra Cloud analysis. So now I'm ready to push. So as soon as I will push, GitHub will create GitHub Actions. If you open the project now, there are some GitHub Actions which are old, which I did like 20 hours ago when I was preparing but you probably have nothing there. As soon as I will push, you should have a new GitHub Action running. Maybe I can just show you how it would look like. As soon as you push, you're going to have here this item appearing in this Action tab. You're going to have this sonar cloud here with these steps, which is, first it builds the GitHub Actions, then it checks out all dependencies, generates coverage report and scans and executes the scan on the sonar cloud. With this GitHub Actions analysis, you're able to see all the logs of the analysis. If something goes wrong, you are able to see it. You see what is taken, how much time, etc. And, as soon as we have this set up, we will also see the sonar cloud analysis in GitHub. So, you will see something like this after you will have this GitHub Action executed, so you will see the coverage of your project, and if you click on it, you will see the drop-down on which files have which coverage, and you can open it and see the green lines, which are covered, red lines which are not covered, et cetera. So, this way, you might add not only coverage, but also, for example, in part of external issues if you are using some other tool to link your projects, and you can add external issues. So, you can add in your GitHub Action one more step on running your, Yes, Link for example, in here, and in the sort of project properties, you can set this path to this, yes link issues report. Okay, so I see that, guys, people are writing that it's not working. So, while it's not working, I will go to another module about security hotspots. So, in the title of this workshop, you see that it's not only about code quality, but also about security. So, SonarCloud provides you with many security rules. For this project, we don't have any, but we have two security hotspots. So, I'm going to show you, what is this? So, for security, it's not always an OEM. Easy to say that you have a problem here, that you are vulnerable here, you can have some places which are dangerous and which require a manual review. So, in our project, we have two security hotspots. So, those security hotspots are not just simple issues, because you can just review them manually and say that, okay, I just had a look, I understand what is it about and it's safe. So, for each security hotspot, you have a description of it. And there is a tab, where you can read how you can understand if you are at risk. So, if this is really dangerous for you. And also you have a tab, about how to fix this. So, here I have a HTTP, not HTTPS protocol used for my URL. And I, let's say that, okay, I reviewed it here, there is no danger for me to use unsafe protocol. And I say that it is safe. So, as soon as it is safe, it will not be any more displayed. Um, so, do not be anymore displayed under the security hotspots. And there is another one, security hotspot, where you create, where you load the script from the internet and you are not checking the integrity of it. Here, let's say I reviewed it, I read the description, I say that, okay, in fact, I'm at risk. It's an external resource, I can not be sure that this is what I expect there and I have to put some integrity here. So, I have here some examples, I should put a SHA number for this script in my code. So, that's when I will need to fix this in my code. But, that will also need me to push something and I cannot still push. Nope. So, okay, I know that's not great, but unfortunately I don't have a better idea, so let's pretend that I will be able to push.
Comments