VectorDBDemo/.gitea/workflows/sonar-scan.yml

name: SonarQube Code Quality Scan

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: self-hosted

    env:
      PROXY_HOST: 127.0.0.1
      PROXY_PORT: 7890
      DC_VERSION: 11.0.0
      DC_OUTPUT: ./depcheck

    steps:
      - name: Checkout Code (Gitea)
        uses: actions/checkout@v4

      - name: Add Sonar Scanner to PATH
        run: |
          echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8

      - name: Verify .NET SDK
        run: |
          dotnet --list-sdks
          dotnet --version

      - name: Run OWASP Dependency Check
        run: |
          New-Item -Path $env:DC_OUTPUT -ItemType Directory -Force
          "D:\Paths\Gitea\dependency-check\bin\dependency-check.bat" `
            --project "VectorDBDemo" `
            --scan "." `
            --format "XML" `
            --out "$env:DC_OUTPUT" `
            -Dproxy.host=$env:PROXY_HOST `
            -Dproxy.port=$env:PROXY_PORT `
            -DconnectionTimeout=30000 `
            -DreadTimeout=30000

      - name: Build .NET Project
        run: |
          dotnet restore
          dotnet build --configuration Release --no-restore

      - name: SonarQube Full Scan
        run: |
          dotnet tool install --global dotnet-sonarscanner --no-cache
          dotnet sonarscanner begin `
            /k:"vectordbdemo" `
            /d:sonar.host.url="http://127.0.0.1:9000" `
            /d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
            /d:sonar.sources="./" `
            /d:sonar.exclusions="**/obj/**,**/bin/**,depcheck/**" `
            /d:sonar.dependencyCheck.xmlReportPath="$env:DC_OUTPUT\dependency-check-report.xml" `
            /d:sonar.verbose=true
          dotnet build --configuration Release --no-restore
          dotnet sonarscanner end `
            /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

      - name: Fetch SonarQube Blocker Issues
        id: fetch_issues
        run: |
          $projectKey = "vectordbdemo"
          $sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?componentKeys=$projectKey&severities=BLOCKER&statuses=OPEN"
          $auth = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${{ secrets.SONAR_TOKEN }}:"))
          $response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{ Authorization = "Basic $auth" }
          $blockerCount = $response.total
          echo "blocker_issues_count=$blockerCount" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8
          if ($blockerCount -gt 0) {
            Write-Error "Found $blockerCount Blocker issues in SonarQube"
            exit 1
          }