The Qodana Scan GitHub action allows you to run Qodana on a GitHub repository.
Prepare your project
You may need to grant GitHub permissions for running
Qodana Scan as shown below.
In your repository, navigate to.
In thesection, click .
In thefield, specify
JetBrains/qodana-action@*and then click .
To configure Qodana Scan, save the
.github/workflows/code_quality.yml file containing the workflow configuration:
Using this workflow, Qodana will run on the main branch, release branches, and on the pull requests coming to your repository.
fetch-depth: 0is required for checkout in case Qodana works in pull request mode (reports issues that appeared only in that pull request)
timeout-minutesspecifies the timeout for running Qodana, which can be helpful especially if you run Qodana without cache
We recommend that you have a separate workflow file for Qodana because different jobs run in parallel.
GitHub code scanning
This sample invokes
codeql-action for uploading a SARIF-formatted Qodana report to GitHub and specifies the report file using the
Pull request quality gate
You can enforce GitHub to block the merge of pull requests if the Qodana quality gate has failed. To do it, create a branch protection rule as described below:
Create a new or open an existing GitHub workflow that invokes the Qodana Scan action.
Set the workflow to run on
pull_requestevents that target the
main, you can specify your branch here.
Set the number of problems (integer) for the Qodana action
Under your repository name, click Settings.
On the left menu, click Branches.
In the branch protection rules section, click Add rule.
mainto Branch name pattern.
Select Require status checks to pass before merging.
Search for the
Qodanastatus check, then check it.
Quality gate and baseline
Follow these steps to establish a baseline for your project:
Run Qodana locally over your project:
Open your report at
http://localhost:8080/, add detected problems to the baseline, and download the
qodana.sarif.jsonfile to your project root folder on GitHub.
--baseline,qodana.sarif.jsonargument to the Qodana Scan action configuration
argsparameter in the
If you want to update the baseline, you must repeat these steps.
After that, the Qodana Scan GitHub action will generate alerts only for the problems that were not added to the baseline as new.
To establish a quality gate additionally to the baseline, add this line to
qodana.yaml in the root of your repository:
Based on this, you will be able to detect only new problems in pull requests that fall beyond the baseline. At the same time, pull requests with new problems exceeding the
fail-threshold limit will be blocked, and the workflow will fail.
To forward inspection results to Qodana Cloud, all you need to do is to specify the
QODANA_TOKEN environment variable in the build configuration.
In the GitHub workflow file, add
QODANA_TOKENvariable to the
envsection of the
After the token is set for analysis, all Qodana job results will be uploaded to your Qodana Cloud project.
Get a Qodana badge
You can set up a Qodana workflow badge in your repository. To do it, follow these steps:
Navigate to the workflow run that you previously configured.
On the workflow page, select Create status badge.
Copy the Markdown text to your repository README file.
Most likely, you won't need other options than
args: all other options can be helpful if you are configuring multiple Qodana Scan jobs in one workflow.
with to define any action parameters:
Additional Qodana CLI
Directory to store the analysis results. Optional.
Upload Qodana results as an artifact to the job. Optional.
Specify Qodana results artifact name, used for results uploading. Optional.
Directory to store Qodana cache. Optional.
Utilize GitHub caches for Qodana runs. Optional.
Set the primary cache key. Optional.
Set the additional cache key. Optional.
Upload cache for the default branch only. Optional.
Use annotation to mark the results in the GitHub user interface. Optional.
Analyze only changed files in a pull request. Optional.