Exasol Toolbox
SonarQube analysis¶
The PTB supports using SonarQube Cloud to analyze, visualize, & track linting, security, & coverage. All of our Python projects should be evaluated against the Exasol Way and subscribe to the Clean as You Code methodology. If code modified in a PR does not satisfy the aforementioned criteria, the SonarQube analysis fails.
The PTB includes instructions to set up a GitHub bot to display the results of the Sonar analysis in your pull requests as a stylized comment and workflow result. Section Configuration gives instructions for public and private repositories.
Configuration¶
Public GitHub repository¶
In GitHub¶
A GitHub Admin will need to:
Inherit organization secret ‘SONAR_TOKEN’
Activate the SonarQubeCloud App
Post-merge: update the branch protections to include SonarQube analysis.
This should only be done when tests exist for the project, & that the project is at a state in which enforced code coverage would not be a burden. If you do not enact branch protections, it is recommended to create an issue to do so later.
In Sonar¶
Create a project on SonarCloud
Project key should follow this pattern, e.g.
com.exasol:python-toolboxTo alter the project further, you will need the help of a SonarQube Admin.
In the code¶
- Specify in the
noxconfig.pythe relative path to the project’s source code inConfig.source source: Path = Path("exasol/<source-directory>")
- Specify in the
- Add the following to the project’s file
pyproject.toml [tool.sonar] projectKey = "<sonar-project-key>" hostUrl = "https://sonarcloud.io" organization = "exasol" exclusions = "<source-directory>/version.py,<source_directory>/<directory-to-ignore>/*"
- Add the following to the project’s file
Private GitHub repository¶
Note
As of 2025-07-29, these instructions have not been used. Thus, they should be scrutinized and refined when they are used to configure a private repository.
In GitHub¶
A GitHub Admin will need to:
Add the individual ‘PRIVATE_SONAR_TOKEN’ to the ‘Organization secrets’
Activate the exasonarqubeprchecks App
Post-merge: update the branch protections to include SonarQube analysis.
This should only be done when tests exist for the project, & that the project is at a state in which enforced code coverage would not be a burden. If you do not enact branch protections, it is recommended to create an issue to do so later.
In Sonar¶
An IT Admin will need to:
Create a project on https://sonar.exasol.com
Project key should follow this pattern, e.g.
com.exasol:python-toolbox
In the code¶
- Specify in the
noxconfig.pythe relative path to the project’s source code inConfig.source source: Path = Path("exasol/<source-directory>")
- Specify in the
- Add the following to the project’s file
pyproject.toml [tool.sonar] projectKey = "com.exasol:<project-key>" hostUrl = "https://sonar.exasol.com" organization = "exasol" exclusions = "<source-directory>/version.py,<source_directory>/<directory-to-ignore>/*"
- Add the following to the project’s file