Exasol Toolbox
SonarQube analysis¶
The PTB supports using SonarQube Cloud to analyze, visualize, & track linting, security, & coverage. All of our Python projects should be evaluated against the Exasol Way and subscribe to the Clean as You Code methodology. If code modified in a PR does not satisfy the aforementioned criteria, the SonarQube analysis fails.
The PTB includes instructions to set up a GitHub bot to display the results of the Sonar analysis in your pull requests as a stylized comment and workflow result. Section Configuration gives instructions for public and private repositories.
Configuration¶
Public GitHub repository¶
In GitHub¶
A GitHub Admin will need to:
Inherit organization secret ‘SONAR_TOKEN’
Activate the SonarQubeCloud App
Post-merge: update the branch protections to include SonarQube analysis.
This should only be done when tests exist for the project, & that the project is at a state in which enforced code coverage would not be a burden. If you do not enact branch protections, it is recommended to create an issue to do so later.
In Sonar¶
Create a project on SonarCloud
Project key should follow this pattern, e.g.
com.exasol:python-toolboxTo alter the project further, you will need the help of a SonarQube Admin.
In the code¶
- Specify in the
noxconfig.pythe relative path to the project’s source code inConfig.source source: Path = Path("exasol/<source-directory>")
- Specify in the
- Add the following to the project’s file
pyproject.toml [tool.sonar] projectKey = "<sonar-project-key>" host.url = "https://sonarcloud.io" organization = "exasol" exclusions = "<source-directory>/version.py,<source_directory>/<directory-to-ignore>/*"
- Add the following to the project’s file
Note
For more information, see the General remarks section.
Private GitHub repository¶
Note
As of 2025-07-29, these instructions have not been used. Thus, they should be scrutinized and refined when they are used to configure a private repository.
In GitHub¶
A GitHub Admin will need to:
Add the individual ‘PRIVATE_SONAR_TOKEN’ to the ‘Organization secrets’
Activate the exasonarqubeprchecks App
Post-merge: update the branch protections to include SonarQube analysis.
This should only be done when tests exist for the project, & that the project is at a state in which enforced code coverage would not be a burden. If you do not enact branch protections, it is recommended to create an issue to do so later.
In Sonar¶
An IT Admin will need to:
Create a project on https://sonar.exasol.com
Project key should follow this pattern, e.g.
com.exasol:python-toolbox
In the code¶
- Specify in the
noxconfig.pythe relative path to the project’s source code inConfig.source source: Path = Path("exasol/<source-directory>")
- Specify in the
- Add the following to the project’s file
pyproject.toml [tool.sonar] projectKey = "com.exasol:<project-key>" host.url = "https://sonar.exasol.com" organization = "exasol" exclusions = "<source-directory>/version.py,<source_directory>/<directory-to-ignore>/*"
- Add the following to the project’s file
Note
For more information, see the General remarks section.
General remarks¶
For additional configuration information, see Sonar’s analysis parameters page.
exclusions¶
With the value of exclusions, you can exclude files and directories of your
project from Sonar’s analysis:
You can use wildcards, e.g.
<root>/dir/*.pyor<root>/**/*.pyMultiple exclusions can be comma-separated (as shown above).
For excluding arbitrary directories and files below a specific directory, please use two asterisks, e.g.
root/abc/**.
See the Sonar Matching Patterns for more details.
By default, the nox session sonar:check only analyses the source code,
as specified by the PROJECT_CONFIG.source, so directories outside of this
are already excluded from being analyzed.