# Multi-Branch Scanning ## Introduction This document explains how to set up GitHub Actions workflows to perform CodeScan static analysis on a repository, including a baseline scan for the main branch and multi-branch scanning. Due to limitations in CodeScan/Sonar, special steps are required to manage the master/main branch creation. ## YAML Files Overview
YAMLPurposeNotes
First YAML Option 1Baseline scan on main branch (flexible push/PR)Uses ubuntu-latest; scans changed files only; generates SARIF.
First YAML Option 2Baseline scan on main branch (restricted to main)Uses ubuntu-latest; fails on red quality gate; requires secrets for login.
Second YAMLMulti-branch scanRuns on any branch; push = standard branch analysis; PR = comparison analysis.
## First YAML – Baseline Scan Options ### Option 1 name: CI\ env:\ SONAR\_SCANNER\_VERSION: 5.0.1.3006\ on:\ push:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ pull\_request:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ jobs:\ build:\ runs-on: ubuntu-latest\ steps:\ \- name: Checkout repository\ uses: actions/checkout\@v4\ \- name: Cache files\ uses: actions/cache\@v4\ with:\ path: |\ \~/.sonar\ key: ${{ runner.os }}-sonar\ restore-keys: ${{ runner.os }}-sonar\ \- name: Run Codescan On Push\ if: github.event\_name == 'push'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ \- name: Run Codescan On PR\ if: github.event\_name == 'pull\_request'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ args: |\ sonar.pullrequest.branch=${{github.head\_ref}}\ sonar.pullrequest.base=${{github.base\_ref}}\ sonar.pullrequest.key=${{github.event.number}}\ \- name: Upload SARIF file\ uses: github/codeql-action/upload-sarif\@v3\ with:\ sarif\_file: codescan.sarif\ \- name: Archive code coverage results\ uses: actions/upload-artifact\@v4\ with:\ name: codescan.sarif\ path: codescan.sarif *** ### Option 2 name: CI\ on:\ push:\ branches: \[main]\ pull\_request:\ branches: \[main]\ env:\ SONAR\_SCANNER\_VERSION: 5.0.1.3006\ jobs:\ build:\ runs-on: ubuntu-latest\ steps:\ \- name: Checkout repository\ uses: actions/checkout\@v4\ \- name: Cache files\ uses: actions/cache\@v4\ with:\ path: |\ \~/.sonar\ key: ${{ runner.os }}-sonar\ restore-keys: ${{ runner.os }}-sonar\ \- name: Run Codescan On Push\ if: github.event\_name == 'push'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ failOnRedQualityGate: true\ \- name: Run Codescan On PR\ if: github.event\_name == 'pull\_request'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ scanChangedFilesOnly: true\ generateSarifFile: true\ failOnRedQualityGate: true\ args: |\ sonar.pullrequest.branch=${{github.head\_ref}}\ sonar.pullrequest.base=${{github.base\_ref}}\ sonar.pullrequest.key=${{github.event.number}}\ \- name: Upload SARIF file\ uses: github/codeql-action/upload-sarif\@v3\ with:\ sarif\_file: codescan.sarif\ \- name: Archive code coverage results\ uses: actions/upload-artifact\@v4\ with:\ name: codescan.sarif\ path: codescan.sarif *** ## Handling Master/Main Branch Issue * After the first scan, a master branch may exist in CodeScan. * When switching to the second YAML, pushing to main may create an extra main branch. Steps to resolve: 1. Delete the newly created main branch in CodeScan. 2. Rename the master branch to main. 3. Confirm the baseline analysis is associated with the main. *** ## Second YAML – Multi-Branch Scan name: CI\ env:\ SONAR\_SCANNER\_VERSION: 5.0.1.3006\ SONAR\_SOURCES: force-app\ on:\ push:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ pull\_request:\ branches:\ \- '\*'\ paths-ignore:\ \- src/test/java/\*\*\ \- target/\*\*\ jobs:\ build:\ runs-on: macos-latest\ steps:\ \- name: Checkout repository\ uses: actions/checkout\@v4\ with:\ fetch-depth: 0\ \- name: Cache files\ uses: actions/cache\@v4\ with:\ path: |\ \~/.sonar\ key: ${{ runner.os }}-sonar\ restore-keys: ${{ runner.os }}-sonar\ \- name: Run Codescan On Push\ if: github.event\_name == 'push'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ args: |\ sonar.branch.name=${{ github.ref\_name }}\ sonar.sources=${{ env.SONAR\_SOURCES }}\ sonar.exclusions=target/\*\*,src/test/java/\*\*\ \- name: Run Codescan On PR\ if: github.event\_name == 'pull\_request'\ uses: codescan-io/codescan-scanner-action\@1.6\ with:\ scanChangedFilesOnly: true\ organization: 'Enter organization key here'\ projectKey: 'Enter project key here'\ codeScanUrl: 'Enter your instance URL'\ login: ${{ secrets.codescan\_token }}\ generateSarifFile: true\ args: |\ sonar.pullrequest.key=${{ github.event.pull\_request.number }}\ sonar.pullrequest.branch=${{ github.head\_ref }}\ sonar.pullrequest.base=${{ github.base\_ref }}\ sonar.sources=${{ env.SONAR\_SOURCES }}\ sonar.exclusions=target/\*\*,src/test/java/\*\*\ \- name: Upload SARIF file\ uses: github/codeql-action/upload-sarif\@v3\ with:\ sarif\_file: codescan.sarif\ \- name: Archive code coverage results\ uses: actions/upload-artifact\@v4\ with:\ name: codescan.sarif *** ## Step-by-Step Workflow 1. Initial Baseline Scan * Add first YAML (Option 1 or 2) to scan main branch. * Push and verify baseline scan on CodeScan. 2. Branch Adjustment * Replace YAML with second YAML * Delete extra main branch in CodeScan if created. * Rename master to main. 3. Multi-Branch Scanning. * Push to other branches to enable scanning. * Verify SARIF upload and analysis in GitHub. *** ## Notes & Considerations * Sonar/CodeScan limitations require the baseline to be on main/master first. * Always fetch full history for PR analysis (fetch-depth: 0). * SONAR\_SOURCES: force-app Incase folder structure is other than DX * SONAR\_SOURCES: src (or) .(. here represents the ROOT FOLDER) * Specifying Root Folder, CodeScan always scans the Root folder mentioned and files within it. * In scenarios where the customer has multiple root folders, using (.) will make sure every root folder in the repo is scanned. ***