A SonarQube-like static analysis CLI for multi-language repositories.
Project description
supersonar
supersonar is a lightweight, SonarQube-inspired static analysis CLI for multi-language repositories.
It is designed for local use and CI pipelines via pip install (Python 3.10+).
Quick start
pip install .
supersonar scan . --format json
Pipeline install (pip)
Use an isolated environment in CI:
python -m venv .venv
. .venv/bin/activate
python -m pip install --upgrade pip
python -m pip install supersonar
supersonar --version
supersonar scan . --format sarif --out reports/supersonar.sarif
Or install from repository source directly:
python -m pip install "git+https://github.com/mortaccio/supersonar.git@main"
The scanner performs real code checks (AST + regex), including:
- dynamic execution (
eval/exec) - broad exception handlers
subprocess.*(..., shell=True)in Python- unsafe
yaml.load(...)in Python - hardcoded secret-like assignments
- private key block markers (for example
BEGIN ... PRIVATE KEY) - TODO/FIXME markers
- unresolved merge conflict markers
Python files use AST rules. Other file types use generic cross-language text rules.
CI usage
pip install supersonar
supersonar scan . \
--format sarif \
--out reports/supersonar.sarif \
--fail-on high \
--max-high 0 \
--max-critical 0 \
--coverage-xml coverage.xml \
--min-coverage 80
Config (supersonar.toml)
[scan]
exclude = [".git", ".venv", "venv", "build", "dist", "__pycache__"]
include_extensions = [".py", ".java", ".js", ".ts", ".go", ".rs", ".cs", ".yaml", ".yml", ".json", ".toml"]
include_filenames = ["Dockerfile", "Jenkinsfile", "Makefile"]
max_file_size_kb = 1024
coverage_xml = "coverage.xml"
[quality_gate]
fail_on = "high"
max_issues = 200
max_files_with_issues = 25
max_high = 0
max_critical = 0
min_coverage = 80.0
[report]
format = "json"
Use CLI overrides when needed:
supersonar scan . --include-ext .java --include-ext .kt --include-file Dockerfile
Quality gates
fail_on: fail if any issue exists at/above severitymax_issues: fail if total issues exceed thresholdmax_files_with_issues: fail if number of files with at least one issue exceeds thresholdmax_low,max_medium,max_high,max_critical: per-severity capsmin_coverage: minimum line coverage percentage from Cobertura XML
Generate coverage.xml in Python projects with:
python -m pip install coverage
coverage run -m pytest
coverage xml -o coverage.xml
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file supersonar-0.3.2.tar.gz.
File metadata
- Download URL: supersonar-0.3.2.tar.gz
- Upload date:
- Size: 14.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0db49165643c3ed76717a10c23adb516c121c18a57e32b2ceb345330fece2c65
|
|
| MD5 |
58e493a09620bce7461901caf6bb1e6b
|
|
| BLAKE2b-256 |
7cbd4a6c8afbb2c3cc64508dff3cd590de2270c307b2c3b12edba47e89ac58bb
|
File details
Details for the file supersonar-0.3.2-py3-none-any.whl.
File metadata
- Download URL: supersonar-0.3.2-py3-none-any.whl
- Upload date:
- Size: 14.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dd9545e4e1770e02251756be13c7d533fc4298049f3e6882f9117d9d4b060cb7
|
|
| MD5 |
7ceab4a120c25622a054d368b809eb66
|
|
| BLAKE2b-256 |
1cdac03c977128c7ef463b309904d2ea2fbb0b2cd1b0896f03c85caaeb1a7534
|
