{"id":15017756,"url":"https://github.com/jetbrains/qodana-action","last_synced_at":"2025-05-15T10:01:07.101Z","repository":{"id":37965747,"uuid":"318547564","full_name":"JetBrains/qodana-action","owner":"JetBrains","description":"⚙️ Scan your Go, Java, Kotlin, PHP, Python, JavaScript, TypeScript, .NET projects at GitHub with Qodana. This repository contains Qodana for Azure, GitHub, CircleCI and Gradle","archived":false,"fork":false,"pushed_at":"2025-05-13T09:02:35.000Z","size":21277,"stargazers_count":278,"open_issues_count":3,"forks_count":42,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-05-13T10:22:25.086Z","etag":null,"topics":["actions","azure-extensions","azure-pipelines","code-quality","code-review","code-scanning","devsecops","dotnet","github-actions","go","java","javascript","kotlin","php","python","qodana","sarif","static-analysis","static-code-analysis","typescript"],"latest_commit_sha":null,"homepage":"https://jb.gg/qodana-github-action","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JetBrains.png","metadata":{"files":{"readme":"README.md","changelog":"changelog.sh","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-12-04T14:52:55.000Z","updated_at":"2025-05-13T06:23:39.000Z","dependencies_parsed_at":"2023-01-11T17:21:26.863Z","dependency_job_id":"c70b2725-454f-46d7-8a3d-a87ceab903f7","html_url":"https://github.com/JetBrains/qodana-action","commit_stats":{"total_commits":617,"total_committers":17,"mean_commits":"36.294117647058826","dds":"0.49108589951377635","last_synced_commit":"31d6f3309b31c566758e1314a3d9ef0dff75ecbd"},"previous_names":[],"tags_count":56,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JetBrains%2Fqodana-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JetBrains%2Fqodana-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JetBrains%2Fqodana-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JetBrains%2Fqodana-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JetBrains","download_url":"https://codeload.github.com/JetBrains/qodana-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254319715,"owners_count":22051072,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","azure-extensions","azure-pipelines","code-quality","code-review","code-scanning","devsecops","dotnet","github-actions","go","java","javascript","kotlin","php","python","qodana","sarif","static-analysis","static-code-analysis","typescript"],"created_at":"2024-09-24T19:50:56.817Z","updated_at":"2025-05-15T10:01:06.633Z","avatar_url":"https://github.com/JetBrains.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Qodana Scan [\u003cimg src=\"https://api.producthunt.com/widgets/embed-image/v1/top-post-badge.svg?post_id=304841\u0026theme=dark\u0026period=daily\" alt=\"\" align=\"right\" width=\"190\" height=\"41\"\u003e](https://www.producthunt.com/posts/jetbrains-qodana)\n\n[![official JetBrains project](https://jb.gg/badges/official.svg)][jb:confluence-on-gh]\n[![GitHub Discussions](https://img.shields.io/github/discussions/jetbrains/qodana)][jb:discussions]\n[![Twitter Follow](https://img.shields.io/badge/follow-%40Qodana-1DA1F2?logo=twitter\u0026style=social)][jb:twitter]\n\n**Qodana** is a code quality monitoring tool that identifies and suggests fixes for bugs, security vulnerabilities,\nduplications, and imperfections.\n\n**Table of Contents**\n\n\u003c!-- toc --\u003e\n\n- Qodana Scan\n - [Usage](#usage)\n - [Configuration](#configuration)\n- [Issue Tracker](#issue-tracker)\n\n\u003c!-- tocstop --\u003e\n[//]: # (title: GitHub Actions)\n\n## Usage\n\nThe [Qodana Scan GitHub action](https://github.com/marketplace/actions/qodana-scan)\nallows you to run Qodana on a GitHub repository.\n\n\u003canchor name=\"basic-configuration\"\u003e\u003c/anchor\u003e\n\n### Basic configuration\n\nTo configure Qodana Scan, save the `.github/workflows/code_quality.yml` file containing the workflow configuration:\n\n```yaml\nname: Qodana\non:\n workflow_dispatch:\n pull_request:\n push:\n branches:\n - main\n - 'releases/*'\n\njobs:\n qodana:\n runs-on: ubuntu-latest\n permissions:\n contents: write\n pull-requests: write\n checks: write\n steps:\n - uses: actions/checkout@v3\n with:\n ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit\n fetch-depth: 0 # a full history is required for pull request analysis\n - name: 'Qodana Scan'\n uses: JetBrains/qodana-action@v2025.1\n env:\n QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} # read the steps about it below\n```\n\nTo set `QODANA_TOKEN` environment variable in the build configuration:\n\n1. In the GitHub UI,\n create the `QODANA_TOKEN` [encrypted secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository)\n and\n save the [project token](https://www.jetbrains.com/help/qodana/cloud-projects.html#cloud-manage-projects) as its value.\n2. In the GitHub workflow file,\n add `QODANA_TOKEN` variable to the `env` section of the `Qodana Scan` step:\n\nUsing this workflow, Qodana will run on the main branch, release branches, and on the pull requests coming to your\nrepository.\n\nNote: `fetch-depth: 0` is required for checkout in case Qodana works in pull request mode\n(reports issues that appeared only in that pull request).\n\nWe recommend that you have a separate workflow file for Qodana\nbecause [different jobs run in parallel](https://help.github.com/en/actions/getting-started-with-github-actions/core-concepts-for-github-actions#job)\n\n![Qodana Cloud](https://user-images.githubusercontent.com/13538286/214899046-572649db-fe62-49b2-a368-b5d07737c1c1.gif)\n\n### Apply quick-fixes\n\nTo make Qodana automatically fix found issues and push the changes to your repository,\nyou need\nto\n1. Choose what kind of fixes to apply\n - [Specify `fixesStrategy` in the `qodana.yaml` file in your repository root](https://www.jetbrains.com/help/qodana/qodana-yaml.html)\n - Or set the action `args` property with the quick-fix strategy to use: `--apply-fixes` or `--cleanup`\n2. Set `push-fixes` property to\n - `pull-request`: create a new branch with fixes and create a pull request to the original branch\n - or `branch`: push fixes to the original branch. Also, set `pr-mode` to `false`: currently, this mode is not supported for applying fixes.\n3. Set the correct permissions for the job (`contents: write`, `pull-requests: write`, `checks: write`)\n - If you use `pull-request` value for `push-fixes` property: [**allow GitHub Actions to create and approve pull requests**](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests)\n\nExample configuration:\n\n```yaml\n- name: Qodana Scan\n uses: JetBrains/qodana-action@v2025.1\n with:\n pr-mode: false\n args: --apply-fixes\n push-fixes: pull-request\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n```\n\n\u003e **Note**\n\u003e Qodana could automatically modify not only the code, but also the configuration in `.idea`: if you do not wish to push these changes, add `.idea` to your `.gitignore` file.\n\nIf you want to do different `git` operations in the same job, you can disable `push-fixes` and do the wanted operations manually\n\n\u003cdetails\u003e\n\u003csummary\u003e 💡Full script example \u003c/summary\u003e\n\n```yaml\nname: Qodana\non:\n workflow_dispatch:\n pull_request:\n push:\n branches:\n - master\n - 'releases/*'\n\njobs:\n qodana:\n runs-on: ubuntu-latest\n permissions:\n contents: write\n pull-requests: write\n checks: write\n steps:\n - uses: actions/checkout@v3\n with:\n ref: ${{ github.event.pull_request.head.sha }}\n fetch-depth: 0\n - name: 'Qodana Scan'\n uses: JetBrains/qodana-action@v2025.1\n with:\n args: --cleanup\n - run: |\n git config user.name github-actions\n git config user.email github-actions@github.com\n git checkout -b quick-fixes-$GITHUB_RUN_ID\n git add -- . ':!.idea'\n git commit -m \"I fixed some issues\"\n git push origin quick-fixes-$GITHUB_RUN_ID\n gh pr create --repo $GITHUB_REPOSITORY --base $GITHUB_REF_NAME --head quick-fixes-$GITHUB_RUN_ID --title \"Pull requests\" --body \"I fixed some issues\"\n env:\n GH_TOKEN: ${{ github.token }}\n```\n\u003c/details\u003e\n\n### GitHub code scanning\n\nYou can set\nup [GitHub code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)\nfor your project using Qodana. To do it, add these lines to the `code_quality.yml` workflow file right below\n[the basic configuration](#basic-configuration) of Qodana Scan:\n\n```yaml\n - uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json\n```\n\nThis sample invokes `codeql-action` for uploading a SARIF-formatted Qodana report to GitHub, and specifies the report\nfile using the `sarif_file` key.\n\n\u003e GitHub code scanning does not export inspection results to third-party tools, which means that you cannot use this data for further processing by Qodana. In this case, you have to set up baseline and quality gate processing on the Qodana side prior to submitting inspection results to GitHub code scanning, see the\n[Quality gate and baseline](#quality-gate-and-baseline) section for details.\n\n### Pull request quality gate\n\nYou can enforce GitHub to block the merge of pull requests if the Qodana quality gate has failed. To do it, create a\n[branch protection rule](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule)\nas described below:\n\n1. Create a new or open an existing GitHub workflow that invokes the Qodana Scan action.\n2. Set the workflow to run on `pull_request` events that target the `main` branch.\n\n```yaml\non:\n pull_request:\n branches:\n - main\n```\n\nInstead of `main`, you can specify your branch here.\n\n3. Set the number of problems (integer) for the Qodana action `fail-threshold` option.\n4. Under your repository name, click **Settings**.\n5. On the left menu, click **Branches**.\n6. In the branch protection rules section, click **Add rule**.\n7. Add `main` to **Branch name pattern**.\n8. Select **Require status checks to pass before merging**.\n9. Search for the `Qodana` status check, then check it.\n10. Click **Create**.\n\n\u003canchor name=\"quality-gate-and-baseline\"\u003e\u003c/anchor\u003e\n\n### Quality gate and baseline\n\nYou can combine the [quality gate](https://www.jetbrains.com/help/qodana/quality-gate.html) and [baseline](https://www.jetbrains.com/help/qodana/qodana-baseline.html) features to manage your\ntechnical debt, report only new problems, and block pull requests that contain too many problems.\n\nFollow these steps to establish a baseline for your project:\n\n1. Run Qodana [locally](https://www.jetbrains.com/help/qodana/getting-started.html#Analyze+a+project+locally) over your project:\n\n```shell\ncd project\nqodana scan --show-report\n```\n\n2. Open your report at `http://localhost:8080/`, [add detected problems](https://www.jetbrains.com/help/qodana/ui-overview.html#Technical+debt) to the baseline,\n and download the `qodana.sarif.json` file.\n\n3. Upload the `qodana.sarif.json` file to your project root folder on GitHub.\n\n4. Append `--baseline,qodana.sarif.json` argument to the Qodana Scan action configuration `args` parameter in the `code_quality.yml` file:\n\n```yaml\n- name: Qodana Scan\n uses: JetBrains/qodana-action@main\n with:\n args: --baseline,qodana.sarif.json\n```\n\nIf you want to update the baseline, you need to repeat these steps once again.\n\nStarting from this, GitHub will generate alters only for the problems that were not added to the baseline as new.\n\nTo establish a quality gate additionally to the baseline, add this line to `code_quality.yml` right after the\n`baseline-path` line:\n\n```yaml\nfail-threshold: \u003cnumber-of-accepted-problems\u003e\n```\n\nBased on this, you will be able to detect only new problems in pull requests that fall beyond the baseline. At the same\ntime, pull requests with **new** problems exceeding the `fail-threshold` limit will be blocked, and the workflow will fail.\n\n### Get a Qodana badge\n\nYou can set up a Qodana workflow badge in your repository, to do it, follow these steps:\n\n1. Navigate to the workflow run that you previously configured.\n2. On the workflow page, select **Create status badge**.\n3. Copy the Markdown text to your repository README file.\n\n\u003cimg src=\"https://user-images.githubusercontent.com/13538286/148529278-5d585f1d-adc4-4b22-9a20-769901566924.png\" alt=\"Creating status badge\" width=\"706\"/\u003e\n\n## Configuration\n\nMost likely, you won't need other options than `args`: all other options can be helpful if you are configuring multiple Qodana Scan jobs in one workflow.\n\nUse [`with`](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepswith) to define any action parameters:\n\n```yaml\nwith:\n args: --baseline,qodana.sarif.json\n cache-default-branch-only: true\n```\n\n| Name | Description | Default Value |\n|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------|\n| `args` | Additional [Qodana CLI `scan` command](https://github.com/jetbrains/qodana-cli#scan) arguments, split the arguments with commas (`,`), for example `-i,frontend,--print-problems`. Optional. | - |\n| `results-dir` | Directory to store the analysis results. Optional. | `${{ runner.temp }}/qodana/results` |\n| `upload-result` | Upload Qodana results (SARIF, other artifacts, logs) as an artifact to the job. Optional. | `false` |\n| `artifact-name` | Specify Qodana results artifact name, used for results uploading. Optional. | `qodana-report` |\n| `cache-dir` | Directory to store Qodana cache. Optional. | `${{ runner.temp }}/qodana/caches` |\n| `use-caches` | Utilize [GitHub caches](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy) for Qodana runs. Optional. | `true` |\n| `primary-cache-key` | Set [the primary cache key](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key). Optional. | `qodana-2025.1-${{ github.ref }}-${{ github.sha }}` | \n| `additional-cache-key` | Set [the additional cache key](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key). Optional. | `qodana-2025.1-${{ github.ref }}` |\n| `cache-default-branch-only` | Upload cache for the default branch only. Optional. | `false` |\n| `use-annotations` | Use annotation to mark the results in the GitHub user interface. Optional. | `true` |\n| `pr-mode` | Analyze ONLY changed files in a pull request. Optional. | `true` |\n| `post-pr-comment` | Post a comment with the Qodana results summary to the pull request. Optional. | `true` |\n| `github-token` | GitHub token to access the repository: post annotations, comments. Optional. | `${{ github.token }}` |\n| `push-fixes` | Push Qodana fixes to the repository, can be `none`, `branch` to the current branch, or `pull-request`. Optional. | `none` |\n\n\n## Issue Tracker\n\nAll the issues, feature requests, and support related to Qodana are handled on [YouTrack][youtrack].\n\nIf you'd like to file a new issue, please use the link [YouTrack | New Issue][youtrack-new-issue].\n\n[gh:qodana]: https://github.com/JetBrains/qodana-action/actions/workflows/code_scanning.yml\n[youtrack]: https://youtrack.jetbrains.com/issues/QD\n[youtrack-new-issue]: https://youtrack.jetbrains.com/newIssue?project=QD\u0026c=Platform%20GitHub%20action\n[jb:confluence-on-gh]: https://confluence.jetbrains.com/display/ALL/JetBrains+on+GitHub\n[jb:discussions]: https://jb.gg/qodana-discussions\n[jb:twitter]: https://twitter.com/Qodana\n[jb:docker]: https://hub.docker.com/r/jetbrains/qodana\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetbrains%2Fqodana-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetbrains%2Fqodana-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetbrains%2Fqodana-action/lists"}