Static code analysis with GitHub

I previously wrote about Violation Comments to Bitbucket Server plugin for Jenkins. I wanted to do the same thing with GitHub and Travis, here is the result.

Violation comment in GitHub pull request

You may also have a look at violations-test repo where I have a live demo of this.

Every time I push to a pull request, or its target branch, Travis will perform static code analysis and report back to GitHub. I created a Maven plugin and Gradle plugin to make this possible. I also created a Jenkins plugin.

It supports same format as violations-lib:

Many more formats are planned and pull requests are very welcome!

This will not work in Travis for pull requests from forked repositories. But will work great with Travis for internal pull requests. But that is a limitation in Travis, not in the plugins used for reporting. So if you want to do this on pull requests from forked repos you can use a private hosted build server. I created a Jenkins plugin that can be used for building pull requests from forked repositories. You may also use the Maven plugin or Gradle plugin for that.

Here is how to set it up in Travis.

Travis setup

You need to have a user that is allowed to post comments on the pull request. You may use the users username and password, or an OAuth2 token. I will use OAuth2 token in this example. Here is how to create it:

curl -u 'yourgithubuser' -d '{"note":"Violation comments"}' https://api.github.com/authorizations

It will prompt for you password and give you back the token.

You need to add it to .travis.yml. Travis provides a nice tool for encrypting the token:

sudo apt-get install ruby-dev  
gem install travis  
travis encrypt export GITHUB_OAUTH2TOKEN=YOUR TOKEN HERE  

Add the encrypted token to your .travis.yml under env. I'm including the Gradle task here also:

sudo: false  
language: java  
env:  
  - secure: "YOUR ENCRYPTED TOKEN HERE"
jdk:  
  - oraclejdk7
script:  
  - ./gradlew build violationCommentsToGitHub -DGITHUB_PULLREQUESTID=$TRAVIS_PULL_REQUEST -DGITHUB_OAUTH2TOKEN=$GITHUB_OAUTH2TOKEN -i --stacktrace
notifications:  
  email: false

Now you need to edit your build.gradle to include the plugin. As mentioned above, there is also a Maven plugin with the exact same functionality. This blog post may not be up to date, so best is to check Gradle plugin for latest version and config. But here is an example:

  buildscript {
    repositories {
      maven {
        url "https://plugins.gradle.org/m2/"
      }
    }
    dependencies {
      classpath "se.bjurr.violations:violation-comments-to-github-gradle-plugin:1.1"
    }
  }

  apply plugin: "se.bjurr.violations.violation-comments-to-github-gradle-plugin"

  task violationCommentsToGitHub(type: se.bjurr.violations.comments.github.plugin.gradle.ViolationCommentsToGitHubTask) {
   repositoryOwner = "tomasbjerre";
   repositoryName = "violations-test"
   pullRequestId = System.properties['GITHUB_PULLREQUESTID']
   username = System.properties['GITHUB_USERNAME']
   password = System.properties['GITHUB_PASSWORD']
   oAuth2Token = System.properties['GITHUB_OAUTH2TOKEN']
   gitHubUrl = "https://api.github.com/"
   createCommentWithAllSingleFileComments = false
   createSingleFileComments = true
   violations = [
    ["FINDBUGS",   ".", ".*/findbugs/.*\\.xml\$"],
    ["PMD",        ".", ".*/pmd/.*\\.xml\$"],
    ["CHECKSTYLE", ".", ".*/checkstyle/.*\\.xml\$"],
    ["JSHINT",     ".", ".*/jshint/.*\\.xml\$"],
    ["CSSLINT",    ".", ".*/csslint/.*\\.xml\$"]
   ]
  }

Now all you need to do is to add the task to the build script, as you saw above, you need this:

 script:
  - ./gradlew build violationCommentsToGitHub -DGITHUB_PULLREQUESTID=$TRAVIS_PULL_REQUEST -DGITHUB_OAUTH2TOKEN=$GITHUB_OAUTH2TOKEN -i