# Sonar Runner — CI Image Pre-baked build environment for KollectAI-ETL's SonarQube unified scan workflow. Extends [`ci/java-builder`](../java-builder/) with the standalone `sonar-scanner` CLI. ## What's included Everything from [`java-builder`](../java-builder/) (Java 25, Maven 3.9.x, Node + pnpm, buf, ORAS, OWASP NVD database, jq/git/curl), plus: - `sonar-scanner` CLI at `/opt/sonar-scanner` with its `bin/` on `PATH` ## Build ```bash # Prerequisite: java-builder must already exist in the registry. docker build -t kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/ docker push kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ``` ### Build args | Arg | Default | Description | |-----|---------|-------------| | `REGISTRY` | `kcr.kollect.biz` | Registry hostname for the parent `java-builder` pull | | `JAVA_BUILDER_TAG` | `latest` | Tag of `java-builder` to extend | | `SONAR_SCANNER_VERSION` | `8.1.0.6389` | Bump in lockstep with `KollectAI-ETL/.gitea/workflows/sonar.yml`'s `SONAR_SCANNER_VERSION` | ## Usage in CI ```yaml jobs: scan: runs-on: ubuntu-latest container: image: kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest steps: - uses: actions/checkout@v6 with: fetch-depth: 0 # blame-aware analysis - run: ./mvnw -f backend/pom.xml compile test-compile -DskipTests -q - run: sonar-scanner env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} ``` No more runtime `curl`-install or cache restore step — the scanner is on `PATH` from the moment the container starts. ## Maintenance - Sonar-scanner version bump: edit the `SONAR_SCANNER_VERSION` ARG default and rebuild. Keep the matching `SONAR_SCANNER_VERSION` env in `KollectAI-ETL/.gitea/workflows/sonar.yml` in sync. - Java/Maven/etc. bumps: just rebuild — they come from the parent `java-builder` image. - Build order: `java-builder` first, then `sonar-runner`. The CI workflow's auto-discovery handles this naturally as long as both images exist; for manual builds invoke them in that order.