kosli attest sonar #

Synopsis #

Report a SonarCloud or SonarQube attestation to an artifact or a trail in a Kosli flow.
Retrieves results for the specified scan from SonarCloud or SonarQube and attests them to Kosli. The results are parsed to find the status of the project's quality gate which is used to determine the attestation's compliance status.

The scan to be retrieved can be specified in two ways:

  1. (Default) Using metadata created by the Sonar scanner. By default this is located within a temporary .scannerwork folder in the repo base directory. If you have overriden the location of this folder by passing parameters to the Sonar scanner, or are running Kosli's CLI locally outside the repo's base directory, you can provide the correct path using the --sonar-working-dir flag. This metadata is generated by a specific scan, allowing Kosli to retrieve the results of that scan.
  2. Providing the Sonar project key and the revision of the scan (plus the SonarQube server URL if relevant). If running the Kosli CLI in some CI/CD pipeline, the revision is defaulted to the commit SHA. If you are running the command locally, or have overriden the revision in SonarCloud/SonarQube via parameters to the Sonar scanner, you can provide the correct revision using the --sonar-revision flag. Kosli then finds the scan results for the specified project key and revision.

Note that if your project is very large and you are using SonarCloud's automatic analysis, it is possible for the attest sonar command to run before the SonarCloud scan is completed. In this case, we recommend using Kosli's Sonar webhook integration ( https://docs.kosli.com/integrations/sonar/ ) rather than the CLI to attest the scan results.

The attestation can be bound to a trail using the trail name.

If the attestation is for an artifact, the attestation can be bound to the artifact using one of two ways:

  • using the artifact's SHA256 fingerprint which is calculated (based on the --artifact-type flag and the artifact name/path argument) or can be provided directly (with the --fingerprint flag).
  • using the artifact's name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.
kosli attest sonar [IMAGE-NAME | FILE-PATH | DIR-PATH] [flags]

Flags #

Flag Description
--annotate stringToString [optional] Annotate the attestation with data using key=value.
-t, --artifact-type string The type of the artifact to calculate its SHA256 fingerprint. One of: [oci, docker, file, dir]. Only required if you want Kosli to calculate the fingerprint for you (i.e. when you don't specify '--fingerprint' on commands that allow it).
--attachments strings [optional] The comma-separated list of paths of attachments for the reported attestation. Attachments can be files or directories. All attachments are compressed and uploaded to Kosli's evidence vault.
-g, --commit string [conditional] The git commit for which the attestation is associated to. Becomes required when reporting an attestation for an artifact before reporting it to Kosli. (defaulted in some CIs: https://docs.kosli.com/ci-defaults ).
--description string [optional] attestation description
-D, --dry-run [optional] Run in dry-run mode. When enabled, no data is sent to Kosli and the CLI exits with 0 exit code regardless of any errors.
-x, --exclude strings [optional] The comma separated list of directories and files to exclude from fingerprinting. Can take glob patterns. Only applicable for --artifact-type dir.
--external-fingerprint stringToString [optional] A SHA256 fingerprint of an external attachment represented by --external-url. The format is label=fingerprint (labels cannot contain '.' or '='). This flag can be set multiple times. There must be an external url with a matching label for each external fingerprint.
--external-url stringToString [optional] Add labeled reference URL for an external resource. The format is label=url (labels cannot contain '.' or '='). This flag can be set multiple times. If the resource is a file or dir, you can optionally add its fingerprint via --external-fingerprint
-F, --fingerprint string [conditional] The SHA256 fingerprint of the artifact to attach the attestation to. Only required if the attestation is for an artifact and --artifact-type and artifact name/path are not used.
-f, --flow string The Kosli flow name.
-h, --help help for sonar
-n, --name string The name of the attestation as declared in the flow or trail yaml template.
-o, --origin-url string [optional] The url pointing to where the attestation came from or is related. (defaulted to the CI url in some CIs: https://docs.kosli.com/ci-defaults ).
--redact-commit-info strings [optional] The list of commit info to be redacted before sending to Kosli. Allowed values are one or more of [author, message, branch].
--registry-password string [conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry.
--registry-username string [conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry.
--repo-root string [defaulted] The directory where the source git repository is available. Only used if --commit is used. (default ".")
--sonar-api-token string [required] SonarCloud/SonarQube API token.
--sonar-project-key string [conditional] The project key of the SonarCloud/SonarQube project. Only required if you want to use the project key/revision to get the scan results rather than using Sonar's metadata file.
--sonar-revision string [conditional] The revision of the SonarCloud/SonarQube project. Only required if you want to use the project key/revision to get the scan results rather than using Sonar's metadata file and you have overridden the default revision, or you aren't using a CI. Defaults to the value of the git commit flag.
--sonar-server-url string [conditional] The URL of your SonarQube server. Only required if you are using SonarQube and not using SonarQube's metadata file to get scan results. (default "https://sonarcloud.io")
--sonar-working-dir string [conditional] The base directory of the repo scanned by SonarCloud/SonarQube. Only required if you have overriden the default in the sonar scanner or you are running the CLI locally in a separate folder from the repo. (default ".scannerwork")
-T, --trail string The Kosli trail name.
-u, --user-data string [optional] The path to a JSON file containing additional data you would like to attach to the attestation.

Flags inherited from parent commands #

Flag Description
-a, --api-token string The Kosli API token.
-c, --config-file string [optional] The Kosli config file path. (default "kosli")
--debug [optional] Print debug logs to stdout. A boolean flag https://docs.kosli.com/faq/#boolean-flags (default false)
-H, --host string [defaulted] The Kosli endpoint. (default "https://app.kosli.com")
--http-proxy string [optional] The HTTP proxy URL including protocol and port number. e.g. 'http://proxy-server-ip:proxy-port'
-r, --max-api-retries int [defaulted] How many times should API calls be retried when the API host is not reachable. (default 3)
--org string The Kosli organization.

Live Examples in different CI systems #

View an example of the kosli attest sonar command in GitHub.

In this YAML file, which created this Kosli Event.

Examples Use Cases #

report a sonarcloud attestation about a trail using Sonar's metadata

kosli attest sonar \
	--name yourAttestationName \
	--flow yourFlowName \
	--trail yourTrailName \
	--sonar-api-token yourSonarAPIToken \
	--sonar-working-dir yourSonarWorkingDirPath \
	--api-token yourAPIToken \
	--org yourOrgName \

report a sonarqube attestation about a trail using Sonar's metadata

kosli attest sonar \
	--name yourAttestationName \
	--flow yourFlowName \
	--trail yourTrailName \
	--sonar-api-token yourSonarAPIToken \
	--sonar-working-dir yourSonarWorkingDirPath \
	--api-token yourAPIToken \
	--org yourOrgName \

report a sonarcloud attestation for a specific branch about a trail using key/revision

kosli attest sonar \
	--name yourAttestationName \
	--flow yourFlowName \
	--trail yourTrailName \
	--sonar-api-token yourSonarAPIToken \
	--sonar-project-key yourSonarProjectKey \
	--sonar-revision yourSonarRevision \
	--branch-name yourBranchName \
	--api-token yourAPIToken \
	--org yourOrgName \

report a sonarqube attestation for a pull-request about a trail using key/revision

kosli attest sonar \
	--name yourAttestationName \
	--flow yourFlowName \
	--trail yourTrailName \
	--sonar-api-token yourSonarAPIToken \
	--sonarqube-url yourSonarQubeURL \
	--sonar-project-key yourSonarProjectKey \
	--sonar-revision yourSonarRevision \
	--pull-request-id yourPullRequestID \
	--api-token yourAPIToken \
	--org yourOrgName \

report a sonarcloud attestation about a trail with an attachment using Sonar's metadata

kosli attest sonar \
	--name yourAttestationName \
	--flow yourFlowName \
	--trail yourTrailName \
	--sonar-api-token yourSonarAPIToken \
	--sonar-working-dir yourSonarWorkingDirPath \
	--attachment yourAttachmentPath \
	--api-token yourAPIToken \
	--org yourOrgName