Introduction
SonarQube is a powerful tool for continuous code quality inspection, but the Community Edition does not support scanning shell scripts (.sh files) by default. In this post, I will demonstrate how to integrate ShellCheck, an external tool, with SonarQube for scanning shell scripts in a Windows environment. This guide provides step-by-step instructions for setting up ShellCheck with SonarQube.
Prerequisites
- SonarQube (Community Edition) installed.
- Jenkins or a similar CI/CD tool for running the pipeline.
- Basic knowledge of Jenkins pipelines and SonarQube configuration.
Step-by-Step Implementation
Step 1: Download the ShellCheck Plugin for SonarQube
Download the ShellCheck plugin from the SonarSource Community. The version used for this tutorial is sonar-shellcheck-plugin-2.5.0.jar.
Step 2: Install the Plugin in the SonarQube Directory
Once the plugin is downloaded, place the .jar file in the extensions/plugins directory inside your SonarQube installation. The typical path looks like this:
C:\sonarqube-10.7.0.96327\extensions\plugins
Step 3: Download the ShellCheck Binary
Download the ShellCheck binary from this link. Extract the shellcheck-v0.10.0.zip file, and you will find the shellcheck.exe inside the extracted folder.
Step 4: Configure the ShellCheck Binary Location
Create a tools directory inside your SonarQube folder (or any other preferred location) and move shellcheck.exe there. Example path:
C:\sonarqube-10.7.0.96327\tools
For global access, add the path C:\sonarqube-10.7.0.96327\tools to your system's environment variables.
Step 5: Restart SonarQube
Once the plugin is installed and the ShellCheck binary is configured, restart SonarQube to enable the plugin.
Step 6: Verify the Plugin Installation
To verify that ShellCheck is properly installed:
- Open the SonarQube Web Interface.
- Log in with your credentials.
- Navigate to Administration → Marketplace → Installed.
- The ShellCheck plugin should be listed under the installed plugins section.
External Shellcheck Plugin is listed in Sonarqube
Step 7: Create the Jenkins Pipeline
Next, create a Jenkins pipeline to use SonarQube and ShellCheck for analyzing your code repository, including shell scripts (.sh files), Python, and SQL files:
pipeline {
agent any
environment {
SONAR_SCANNER_PATH = 'C:\\ProgramData\\Jenkins\\.jenkins\\tools\\hudson.plugins.sonar.SonarRunnerInstallation\\sonar-scanner\\bin\\sonar-scanner.bat'
SONAR_HOST_URL = 'http://localhost:9000/'
SONAR_PROJECT_KEY = 'scanlocal'
SONAR_PROJECT_NAME = 'scanlocal'
SONAR_PROJECT_VERSION = '1.0'
}
stages {
stage('Clone Repository') {
steps {
git branch: 'master',
url: 'https://sonarqubescanning-admin@bitbucket.org/sonarqubescanning/scanlocal.git',
credentialsId: 'bb_coding'
}
}
stage('SonarQube Analysis') {
steps {
script {
withSonarQubeEnv('SonarQube') {
bat """
%SONAR_SCANNER_PATH% ^
-Dsonar.host.url=%SONAR_HOST_URL% ^
-Dsonar.projectKey=%SONAR_PROJECT_KEY% ^
-Dsonar.projectName=%SONAR_PROJECT_NAME% ^
-Dsonar.sourceEncoding=UTF-8 ^
-Dsonar.qualitygate.wait=true ^
-Dsonar.projectVersion=%SONAR_PROJECT_VERSION% ^
-Dsonar.sources=. ^
-Dsonar.python.version=3.8 ^
-Dsonar.verbose=true ^
"""
}
}
}
}
stage('ShellCheck Verification') {
steps {
script {
// Verify ShellCheck binary accessibility
bat """
shellcheck --version
"""
}
}
}
}
}
Once the pipeline is triggered, Jenkins will automatically perform SonarQube analysis and ShellCheck verification of the shell scripts.
SonarQube Scan Result
The following image shows the result of the SonarQube scan performed using the pipeline script:
Conclusion
By following these steps, you have successfully integrated ShellCheck into SonarQube for shell script analysis. The Jenkins pipeline ensures automated and efficient code quality checks, improving your DevOps workflows and reducing the risk of errors in shell scripts.
