How to use golangci-lint with Sonarqube

At Picus Security, we have hundreds of thousands of lines written in golang. Ensuring that all the repositories follow the same set of rules can be challenging. Not only that but also we need to make sure that there are no bugs, code smells, or vulnerabilities.

We recently started using Sonarqube to track and see the problems with our code. It’s a useful tool that aggregates many aspects of code statistics together.

Another tool that’s considered a best practice for golang development is golangci-lint. It is basically a “fast Go linters runner. It runs linters in parallel, uses caching, supports yaml config, has integrations with all major IDE and has dozens of linters included.” It was optional to use golangci-lint for developers before but we decided to integrate it into our code pipelines.

One problem though, we couldn’t figure out how to integrate golangci-lint findings to Sonarqube. Google didn’t give any meaningful results and Sonarqube documentation doesn’t mention how to do this exactly. Hence this blog post :)

---

If you fiddle with Sonarqube enough, you will encounter a slot for Sonarqube reports under Project Settings > General Settings > Languages > Go > GolangCI-Lint Report Files.

Now, how to create that report. One of the most popular ways of using golangci-lint is using the golangci-lint-action for GitHub pipelines. Unfortunately, we couldn’t generate a report file with that action. We had no idea what that report file would even look like or what kind of file type does Sonarqube accepts.

Instead, we had to use the native CLI tool of golangci-lint. With lots of trial and error, we managed to find how to create a report that Sonarqube would accept; we just needed a new argument while running the golangci-lint

--out-format checkstyle

The step in our GitHub workflow looks somewhat like this:

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

	- name: Create golangci-lint report
	run: |
	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.42.1
	cd go
	/home/runner/go/bin/golangci-lint run --out-format checkstyle -D deadcode,unused --build-tags=integration --timeout 10m --issues-exit-code 0 ./... > ../report.xml
	cd ..
	sed -i 's+<file name="+<file name="go/+g' report.xml
	cat report.xml

view raw sonarqubebuild.yml hosted with ❤ by GitHub

Finally, you need that report.xml file in the directory while running the sonarqube-scan-action. In the Sonarqube, golangci-lint findings will be labeled as such:

Hopefully, this post helps anyone trying the same integration. Peace.