feat(ci): SonarCloud integration for SAST and technical debt tracking#376
Merged
Conversation
…king Adds comprehensive static analysis configuration: - sonar-project.properties: Coverage thresholds (85%), quality gate configuration - .github/workflows/sonarcloud.yml: Runs on push/PR with quality gate checks - README.adoc: SonarCloud quality gate and coverage badges Configuration includes: - Go coverage reporting (coverage.out from go test) - Coverage thresholds: >80% code coverage, <5% duplications - Quality gate: A-level maintainability, security, and reliability - PR integration: Comments with analysis summary - Excludes: test files, vendor directory, integration tests Manual setup required (one-time): 1. Create SonarCloud account at https://sonarcloud.io 2. Link GitHub repo: docToolchain/Bausteinsicht 3. Generate SONAR_TOKEN in project settings 4. Add SONAR_TOKEN to GitHub Secrets 5. Set GitHub branch protection: require quality gate Fixes #357 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Replace specific commit SHA with stable v4 tag to avoid action resolution errors. Optional step with fail_ci_if_error: false won't block pipeline. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Remove sonar.tests with wildcard pattern (not supported by SonarCloud) - Simplify sonar.exclusions to directory names only (vendor, .git, .devcontainer) - SonarCloud auto-detects test files (*_test.go) without explicit config - This fixes SonarCloud analysis error: 'Wildcards ** and * are not supported' Fixes: sonarcloud.yml analysis failure in PR #376 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Collaborator
Author
|
@rdmueller |
raifdmueller
approved these changes
May 26, 2026
Collaborator
raifdmueller
left a comment
raifdmueller
left a comment
There was a problem hiding this comment.
Code Review
Good SonarCloud setup with sensible defaults. The coverage badge in README uses a placeholder token — replace with a proper SONAR_TOKEN secret reference or remove before going live. Not blocking for merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds SonarCloud integration for static application security testing (SAST) and technical debt tracking.
Changes:
Features:
Manual Setup Required (One-Time):
Fixes #357
🤖 Generated with Claude Code