The analyses that are not supported by build tools (Maven, Gradle, MSBuild, NPM, C/C++ build-wrapper) are executed through the SonarScanner CLI. This CLI comes with prerequisites on the runtime environment that bring complexity and decrease the user experience (JDK, NodeJS, ...).
Publishing a new Docker image sonar-scanner-cli would help to benefit from an out-of-the-box environment for running the scanner CLI. Some CI services already support the run of Docker images in build steps (TravisCI, CirrusCI, GitHub Actions).
The new Docker image must:
- have its sources in the GitHub repository SonarSource/sonar-scanner-cli-docker
- be built on every new commit and every day to validate dependency changes. TravisCI should be used instead of CirrusCI, that has some issues with building Docker from GKE.
- support the native env variable SONAR_SCANNER_OPTS to customise the JVM (see https://sonarcloud.io/documentation/analysis/scan/sonarscanner/)
- support the native env variable SONAR_TOKEN to set the authentication token
- forward scanner logs to the Docker container logs
- support storage of scanner local cache outside the container. This is convenient to survive to container crashes, or simply to be relevant when CI service starts a new container on each run. The container directory to be mounted is ~/.sonar.
- install the following dependencies:
- OpenJDK 11. Note that it's already embedded by the linux packaging of the sonar-scanner-cli.
- Typescript, required for analysing Typescript
- Pylint, required by some Python rules
- be documented as being LGPLv3-licensed
- to mimic SonarQube Docker project, tickets are tracked in GitHub Issues
The version of scanner CLI to support is 22.214.171.1249. It is referenced by the Docker aliases latest and 4.1.
As an improvement, the custom images used for SonarCloud Autoscan, GitHub Actions or Bitbucket Pipelines could benefit from this image by reusing or extending it. That brings interesting questions like [this one|https://github.com/newtmitch/docker-sonar-scanner/issues/30].
The community image https://github.com/newtmitch/docker-sonar-scanner and the [SonarCloud GitHub Action|https://github.com/SonarSource/sonarcloud-github-action/blob/master/Dockerfile] could be interesting sources of inspiration.
Updating and releasing the Docker image must be added to the release process of the scanner.
As an experiment, the Kanban board is implemented as a GitHub Project: https://github.com/SonarSource/sonar-scanner-cli-docker/projects/1