Analyze pull requests using SonarCloud

Question

I want to use SonarQube to analyze any pull request (PR) made to my project.

Few quick points:

• My project is hosted on Github, it is public, is written in C#, and I'm using Appveyor for continues integration (CI);
• I am using SonarCloud (a public instance of SonarQube) for code quality check, and it already does a fantastic job analyzing internal PRs (i.e., the PRs made from main repository, e.g., merge dev branch on master branch);
• I want this to analyze external PRs (i.e., PRs made from arbitrary forks of my project), which is possible using SonarQube Github plugin;
• and most importantly: I am not gonna put my API keys on any public file, and Appveyor is not gonna expose my secured tokens on public PRs.

Given these points, this is what I did:

• created a bot and gave it write access to my repo (as explained here);
• on the sonarcloud and under Administration -> Settings -> Pull Requests (Alpha), I set the Authentication token with the bot's token and set the Repository identifier with my repo address in the <Organization>/<Repo> format;
• Update the appveyor.yml file of my project so to run SonarQube analysis on all PRs; similar to the following:

build_script:
choco install "msbuild-sonarqube-runner" -y
MSBuild.SonarQube.Runner.exe begin /k:"REPO" /o:"ORGANIZATION" /d:"sonar.host.url=https://sonarcloud.io" /d:"sonar.analysis.mode=preview"
MSBuild.exe /t:Rebuild
MSBuild.SonarQube.Runner.exe end 

However, still I don't see SonarQube using the bot to comment on new PRs (similar to their demo.

Answer 1

The feature you are trying to activate is not ready to be used yet - which is why it is named "Alpha" (Administration -> Settings -> Pull Requests (Alpha)).

In any case, even when this feature is ready, while this will secure your GitHub token because you will save it on SonarCloud only (which is great), you will still have to provide your SonarCloud token to perform the analysis. And as you don't want to unveil your SonarCloud token, you won't be able to analyze external pull requests. Unfortunately, we currently have no solution to solve this limitation.