{"id":46963445,"url":"https://github.com/nelsoncanarinho/setup-sonar-action","last_synced_at":"2026-03-11T10:01:25.772Z","repository":{"id":60668456,"uuid":"541840349","full_name":"nelsoncanarinho/setup-sonar-action","owner":"nelsoncanarinho","description":"Setup a new project in SonarCloud from CI","archived":false,"fork":false,"pushed_at":"2023-02-08T19:12:14.000Z","size":393,"stargazers_count":2,"open_issues_count":3,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-10T21:58:41.704Z","etag":null,"topics":["github-actions","sonarcloud","typescript"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nelsoncanarinho.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-09-27T00:38:07.000Z","updated_at":"2025-10-29T12:25:34.000Z","dependencies_parsed_at":"2023-02-14T10:45:23.330Z","dependency_job_id":null,"html_url":"https://github.com/nelsoncanarinho/setup-sonar-action","commit_stats":{"total_commits":36,"total_committers":4,"mean_commits":9.0,"dds":0.4444444444444444,"last_synced_commit":"5dce4e53f6614238df84e3fc8ba2d8499666acae"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":"nelsoncanarinho/renewed-typescript-action","purl":"pkg:github/nelsoncanarinho/setup-sonar-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsoncanarinho%2Fsetup-sonar-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsoncanarinho%2Fsetup-sonar-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsoncanarinho%2Fsetup-sonar-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsoncanarinho%2Fsetup-sonar-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nelsoncanarinho","download_url":"https://codeload.github.com/nelsoncanarinho/setup-sonar-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nelsoncanarinho%2Fsetup-sonar-action/sbom","scorecard":{"id":679180,"data":{"date":"2025-08-11","repo":{"name":"github.com/nelsoncanarinho/setup-sonar-action","commit":"5dce4e53f6614238df84e3fc8ba2d8499666acae"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/analyze.yml:1","Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/main.yml:1","Warn: no topLevel permission defined: .github/workflows/validate.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/analyze.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/nelsoncanarinho/setup-sonar-action/analyze.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/analyze.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/nelsoncanarinho/setup-sonar-action/analyze.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/nelsoncanarinho/setup-sonar-action/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/nelsoncanarinho/setup-sonar-action/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/nelsoncanarinho/setup-sonar-action/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/nelsoncanarinho/setup-sonar-action/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/nelsoncanarinho/setup-sonar-action/validate.yml/main?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/nelsoncanarinho/setup-sonar-action/releases/79015311","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/nelsoncanarinho/setup-sonar-action/releases/79015311"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"17 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc","Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-21T22:32:50.528Z","repository_id":60668456,"created_at":"2025-08-21T22:32:50.528Z","updated_at":"2025-08-21T22:32:50.528Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30377837,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-11T06:09:32.197Z","status":"ssl_error","status_checked_at":"2026-03-11T06:09:17.086Z","response_time":84,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","sonarcloud","typescript"],"created_at":"2026-03-11T10:00:59.857Z","updated_at":"2026-03-11T10:01:25.754Z","avatar_url":"https://github.com/nelsoncanarinho.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# set-up-sonar\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![ci](https://github.com/nelsoncanarinho/renewed-typescript-action/actions/workflows/main.yml/badge.svg)](https://github.com/nelsoncanarinho/renewed-typescript-action/actions/workflows/main.yml)\n[![semantic-release: angular](https://img.shields.io/badge/semantic--release-angular-e10079?logo=semantic-release)](https://github.com/semantic-release/semantic-release)\n[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=setup-sonar-action\u0026metric=alert_status)](https://sonarcloud.io/summary/new_code?id=setup-sonar-action)\n\n## Setup a new project in SonarCloud from CI\n\nThanks to the SonarCloud team, it's already easy to integrate it into your GitHub workflow using the [official action](https://github.com/SonarSource/sonarcloud-github-action), but some manual work is still required before you have your first analysis done.\n\nThis action offers an intuitive way to prepare your project to be analyzed for the first time directly from your CI pipeline. It may help you to build templates or reusable workflows integrated with SonarCloud without leaving GitHub.\n\n## Requirements\n\n- Have an account in SonarCloud;\n- A SonarCloud Api token;\n\n## Usage\n\nFirst, create a secret with your SonarCloud Api Token following [this guide](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository), and then add this action to your workflow like below:\n\n```yml\n- name: Setup SonarCloud\n  uses: nelsoncanarinho/setup-sonar@v1.0.0\n  with:\n    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}\n```\n\nThis will create a new project in your SonarCloud organization using your repo name as the project key. It'll also rename Sonar's default branch to match the GitHub default (`main`).\n\nThe action will always output a `SONAR_ORGANIZATION` and `SONAR_PROJECT_KEY`, but it creates the project only once, as expected.\n\nA standard workflow would look like this:\n\n```yml\non:\n  push:\n    branches:\n      - main\njobs:\n  sonarcloud:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n        with:\n          fetch-depth: 0\n\n      - name: Setup Sonar\n        id: setupSonar\n        uses: nelsoncanarinho/setup-sonar@v1.0.0\n        with:\n          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}\n\n      - name: SonarCloud Scan\n        uses: sonarsource/sonarcloud-github-action@master\n        with:\n          args: \u003e\n            -Dsonar.organization=${{steps.setupSonar.outputs.SONAR_ORGANIZATION}}\n            -Dsonar.projectKey=${{steps.setupSonar.outputs.SONAR_PROJECT_KEY}}\n            -Dsonar.qualitygate.wait=true ## Failed analysis will fail the action\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}\n```\n\n## Action Inputs\n\n```yml\nSONAR_PROJECT_NAME:\n  description: 'Sonar custom name for the project. Default is the repo name.'\nSONAR_PROJECT_KEY:\n  description: 'Sonar custom project key. Default is the repo name.'\n  required: false\nSONAR_ORGANIZATION:\n  description: 'Name of the organization configured in Sonar. Default is the repo owner. Be aware that your SONAR_TOKEN must have privileges to create projects in the provided organization.'\n  required: false\nSONAR_DEFAULT_BRANCH:\n  description: 'Name of the main branch of the project'\n  required: false\n  default: main\nSONAR_TOKEN:\n  description: 'Sonar token used to integrate with SonarCloud api.'\n  required: true\n```\n\n## Action Outputs\n\n```yml\n SONAR_ORGANIZATION:\n    description: 'Sonar organization for the created project'\n  SONAR_PROJECT_KEY:\n    description: 'Sonar project key for the created project'\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnelsoncanarinho%2Fsetup-sonar-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnelsoncanarinho%2Fsetup-sonar-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnelsoncanarinho%2Fsetup-sonar-action/lists"}