Add SonarQube analysis (#25)

* Add SonarQube scanning to CI/CD pipeline
* Enable shell scanning
* Enable Docker and GitHub actions scanning
* Have packages listed alphabetically (docker:S7018)
* Prefer COPY to ADD (docker:S7029)
* Enclose variables in double quotes (docker:S6570)
* Make return values explicit when appropriate (shelldre:S7682) and better report some errors

Author: ebariaux

.github/workflows/proxy.yml

@@ -92,3 +92,8 @@ jobs:
       - name: Inspect Anchore scan SARIF report
         if: ${{ !cancelled() }}
         run: cat ${{ steps.anchore-scan.outputs.sarif }}
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Dockerfile

@@ -61,17 +61,17 @@ ENV CHROOT_DIR=/etc/haproxy/webroot
 
 # Install certbot and Route53 DNS plugin
 RUN apk update \
-    && apk add --no-cache certbot py-pip inotify-tools tar curl openssl \
+    && apk add --no-cache certbot curl inotify-tools openssl py-pip tar \
     && rm -f /var/cache/apk/* \
     && pip install certbot-dns-route53 --break-system-packages
 
 # Add ACME LUA plugin
 ADD acme-plugin.tar.gz /etc/haproxy/lua/
 
-RUN mkdir -p ${CHROOT_DIR} \
-    && mkdir -p ${CERT_DIR} \
+RUN mkdir -p "${CHROOT_DIR}" \
+    && mkdir -p "${CERT_DIR}" \
     && mkdir -p /var/log/letsencrypt \
-    && mkdir -p ${LE_DIR} && chown haproxy:haproxy ${LE_DIR} \
+    && mkdir -p "${LE_DIR}" && chown haproxy:haproxy "${LE_DIR}" \
     && mkdir -p /etc/letsencrypt \
     && mkdir -p /var/lib/letsencrypt \
     && touch /etc/periodic/daily/cert-renew \
@@ -81,18 +81,18 @@ RUN mkdir -p ${CHROOT_DIR} \
     && chown -R haproxy:haproxy /etc/haproxy \
     && chown -R haproxy:haproxy /var/lib/letsencrypt \
     && chown -R haproxy:haproxy /var/log/letsencrypt \
-    && chown -R haproxy:haproxy ${CHROOT_DIR} \
-    && chown -R haproxy:haproxy ${CERT_DIR}
+    && chown -R haproxy:haproxy "${CHROOT_DIR}" \
+    && chown -R haproxy:haproxy "${CERT_DIR}"
 
 RUN apk del tar && \
     rm -f /var/cache/apk/*
 
-ADD haproxy.cfg /etc/haproxy/haproxy.cfg
-ADD haproxy-edge-terminated-tls.cfg /etc/haproxy/haproxy-edge-terminated-tls.cfg
-ADD certs /etc/haproxy/certs
+COPY haproxy.cfg /etc/haproxy/haproxy.cfg
+COPY haproxy-edge-terminated-tls.cfg /etc/haproxy/haproxy-edge-terminated-tls.cfg
+COPY certs /etc/haproxy/certs
 
-ADD cli.ini /root/.config/letsencrypt/
-ADD entrypoint.sh /
+COPY cli.ini /root/.config/letsencrypt/
+COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK --interval=5s --timeout=3s --start-period=5s --retries=10 CMD curl --fail --silent "http://127.0.0.1:${HTTP_PORT}/docker-health" || exit 1

entrypoint.sh

@@ -140,9 +140,11 @@ restart() {
   if check_proxy; then
     log_info "Config is valid so requesting restart..."
     $HAPROXY_RESTART_CMD
-  else
-    log_info "HAProxy config invalid, not restarting..."
+    return $?
   fi
+
+  log_info "HAProxy config invalid, not restarting..."
+  return 1
 }
 
 start_monitor() {
@@ -423,7 +425,7 @@ cert_init() {
 sync_haproxy() {
   if [ -z "$RENEWED_LINEAGE" ]; then
     log_error "sync-haproxy expect RENEWED_LINEAGE variable to be set"
-    exit 1
+    return 1
   fi
 
   DOMAIN_FOLDER="$RENEWED_LINEAGE"
@@ -433,8 +435,9 @@ sync_haproxy() {
 
   cat "${DOMAIN_FOLDER}/privkey.pem" \
    "${DOMAIN_FOLDER}/fullchain.pem" \
-   > "/tmp/haproxy.pem"
-   mv "/tmp/haproxy.pem" "${CERT_DIR}/${DOMAIN}"
+   > "/tmp/haproxy.pem" || return $?
+  mv "/tmp/haproxy.pem" "${CERT_DIR}/${DOMAIN}"
+  return $?
 }
 
 if [ $# -eq 0 ]

sonar-project.properties

@@ -0,0 +1,6 @@
+sonar.projectKey=openremote_proxy
+sonar.organization=openremote
+
+sonar.shell.activate=true
+sonar.docker.activate=true
+sonar.githubactions.activate=true