Docker-Images/ci/sonar-runner

Sonar Runner — CI Image

Pre-baked build environment for KollectAI-ETL's SonarQube unified scan workflow. Extends ci/java-builder with the standalone sonar-scanner CLI.

What's included

Everything from java-builder (Java 25, Maven 3.9.x, Node + pnpm, buf, ORAS, OWASP NVD database, jq/git/curl), plus:

• sonar-scanner CLI at /opt/sonar-scanner with its bin/ on PATH

Build

# Prerequisite: java-builder must already exist in the registry.
docker build -t kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/
docker push kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest

Build args

Arg	Default	Description
REGISTRY	kcr.kollect.biz	Registry hostname for the parent java-builder pull
JAVA_BUILDER_TAG	latest	Tag of java-builder to extend
SONAR_SCANNER_VERSION	8.1.0.6389	Bump in lockstep with KollectAI-ETL/.gitea/workflows/sonar.yml's SONAR_SCANNER_VERSION

Usage in CI

jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0   # blame-aware analysis
      - run: ./mvnw -f backend/pom.xml compile test-compile -DskipTests -q
      - run: sonar-scanner
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

No more runtime curl-install or cache restore step — the scanner is on PATH from the moment the container starts.

Maintenance

• Sonar-scanner version bump: edit the SONAR_SCANNER_VERSION ARG default and rebuild. Keep the matching SONAR_SCANNER_VERSION env in KollectAI-ETL/.gitea/workflows/sonar.yml in sync.
• Java/Maven/etc. bumps: just rebuild — they come from the parent java-builder image.
• Build order: java-builder first, then sonar-runner. The CI workflow's auto-discovery handles this naturally as long as both images exist; for manual builds invoke them in that order.